Symantec cyber security experts: West African Financial Institutions hit by wave of cyber attacks. One or more cybercrime groups targeted banks and organizations in Cameroon, DRC, Ghana, Equatorial Guinea, and Ivory Coast since at least mid-2017
West African Financial Institutions have been hit by wave of cyber attacks. To date, organizations in Cameroon, Congo (DRC), Ghana, Equatorial Guinea, and Ivory Coast have been affected. It has been reported by Symantec cyber security experts. The cybercrime targeted banks and other financial institutions, exploiting a range of the commodity malware and living off the land tools and tactics. Namely the use of operating system features or network administration tools to compromise victims’ networks. By exploiting these tools, attackers hope to hide in plain sight, since most activity involving these tools is legitimate. The attacks have been underway since at least mid-2017. According to the company’s blog, “who is behind these attacks remains unknown. They could be the work of a single group or, more likely, several different groups employing similar tactics”. Symantec has observed four distinct cyber attack.
The threat actors launched four distinct cyber attack campaigns using commodity malware and living off the land tools-tactics. In the first the targets were Ivory Coast and Equatorial Guinea
The first cyber attacks campaign against West African banks and financial insitutions “has been underway since at least mid-2017 and has targeted organizations in Ivory Coast and Equatorial Guinea,” the cyber security experts stated. The cybercrime “infected victims with commodity malware known as NanoCore (Trojan.Nancrat) and were also observed using PsExec, a Microsoft Sysinternals tool used for executing processes on other systems, on infected computers. Lure documents used by the attackers referred to a West African bank which has operations in several countries in the region. Some tools used in these attacks are similar to tools mentioned in a 2017 SWIFT alert, indicating the attackers may have been attempting to perform financial fraud”.
The second wave of cyber attacks targeted Coast, Ghana, Congo (DRC), and Cameroon
The second type of cyber attack on West African banks and financial insitutions “began in late 2017 and targeted organizations in Ivory Coast, Ghana, Congo (DR), and Cameroon”. The cybercrime “used malicious PowerShell scripts to infect their targets and also used the credential-stealing tool Mimikatz (Hacktool.Mimikatz). They also made use of UltraVNC, an open-source remote administration tool for Microsoft Windows. The attackers then infected computers with the commodity malware known as Cobalt Strike (Trojan.Agentemis) which is capable of opening a backdoor on the computer, communicating with a command and control (C&C) server, and downloading additional payloads. Communication with the C&C server was handled by dynamic DNS infrastructure, which helped shield the location of the attackers”.
Ivory Coast was targeted again in the third and fourth cyber attack campaigns
The third type of attack on West African financial institutions “was directed against an organization in Ivory Coast. This had also been targeted by the second campaign. This second attack also involved the use of commodity malware, in this case the Remote Manipulator System RAT (Backdoor.Gussdoor), alongside Mimikatz and two custom Remote Desktop Protocol (RDP) tools. Since Mimikatz can be used to harvest credentials and RDP allows for remote connections to computers, it’s likely the attackers wanted additional remote access capability and were interested in moving laterally across the victim’s network”. The fourth and last type of cyber attack “began in December 2018 and was directed against organizations in Ivory Coast. The attackers used off-the-shelf malware known as Imminent Monitor RAT (Infostealer.Hawket)”.
The cyber security experts: The malware used were Cobalt Strike, Imminent Monitor RAT, NanoCore RAT, Remote Manipulator System RAT, and Mimikatz. The living off the land tactics used tools such as PowerShell, PsExec, UltraVNC, and RDP
According to Symantec, whether the attacks were the work of one or more cybercrime groups remains unknown. However, they share some commonalities in terms of the tools and tactics employed. Any malware used was off-the-shelf, commodity malware: Cobalt Strike, Imminent Monitor RAT, NanoCore RAT, Remote Manipulator System RAT, and Mimikatz. Additionally, most of the attacks leveraged living off the land tactics, making use of tools such as PowerShell, PsExec, UltraVNC, and RDP. Commodity malware is readily available on the cyber underground. While it may not be as powerful or stealthy as custom-developed tools, it does add a certain level of anonymity to attacks, making it harder to link attacks together and attribute them to any one group of attackers.