In a somewhat unusual step cybercriminals are targeting banks in several western African nations using off the shelf malware to gain entry, gain persistence and exfiltrate data along with “living off the land” tactics.
Symantec said the attacks have been taking place since mid-2017 hitting financial institutions in Cameroon, Congo (DR), Ghana, Equatorial Guinea and Ivory Coast. The company noted attacking banks in these nations is somewhat outside the norm for cybercriminals, but noted expanding attacks into this region is likely another sign of the globalization of cybercrime.
It is not known if the attacks are being made by a single group or multiple parties, but Symantec did find several similarities in all the incidents that were studied. The use of malware available on the dark web, or other sources, along with using a computer or networks operating system or admin tools to remain persistent and hide is also a new trend that has grown in popularity over the last few years, Symantec noted.
“They share some commonalities in terms of the tools and tactics employed. Any malware used was off-the-shelf, commodity malware: Cobalt Strike, Imminent Monitor RAT, NanoCore RAT, Remote Manipulator System RAT, and Mimikatz. Additionally, most of the attacks leveraged living off the land tactics, making use of tools such as PowerShell, PsExec, UltraVNC and RDP,” the report stated.
Symantec detailed four of the attacks.
The first took place in mid-2017 when the banks were hit with NanoCore RAT and using PsExec, which is a Microsoft Sysinternals tool used for executing processes on other systems. The download maybe have used socially engineered documents and even a few tools similar to what was used in the 2017 SWIFT attacks which Symantec said could indicate the attackers were attempting to commit bank fraud.
The second wave of attacks started later in 2017 hitting banks in Ivory Coast, Ghana, Congo (DR), and Cameroon. Here the credential-stealing malware Mimikatz was used along with malicious PowerShell scripts. The malicious actors used the publicly available Microsoft administration tool UltraVNC and the commodity malware Cobalt Strike backdoor. Cobalt Strike creates a backdoor and then receives additional malware from its command and control server.
The Ivory Coast was also involved in the third, undated attack that was found. Here the RAT Backdoor.Gussdoor and Mimikatz along with two custom-built remote desktop protocol tools were combined to harvest credentials. The RDP was likely used to help the attackers move laterally across the network, Symantec said.
The fourth attack in December 2018 again targeted the Ivory Coast and used the Imminent Monitor RAT, but no further information on this were given by Symantec.
While Symantec did have access to the malware through its security tools, a company spokesperson told SC Media it does not have any visibility into what might have been stolen, however, considering the targets involved it’s a good guess the cybercriminals had a financial goal.