Bluebottle hackers target financial institutions using Microsoft-signed driver

Bluebottle hackers target financial institutions in French-speaking countries in Africa

Image:

Bluebottle hackers target financial institutions in French-speaking countries in Africa

Attackers targeting banks in French-speaking countries using live-off-the-land and off-the-shelf tools have many similarities with the OPERA1ER group, say researchers

Security researchers at Symantec have uncovered activities of a cybercrime gang that is aggressively targeting the banking sector in French-speaking Africa countries.

The gang, dubbed Bluebottle, is said to rely heavily on living-off-the-land, dual-use tools, and commodity malware, rather than developing and deploying custom malware.

The researchers noted the use of a kernel-level driver signed by several Microsoft hardware developer accounts which has been deployed by other attackers to disable defensive software. Microsoft disabled the hardware developer accounts involved and released security updates to revoke the certificates used in December 2022.

The researchers believe the group has French-speaking members and operates from Africa, mostly targeting enterprises in the region, although it has also targeted firms in Paraguay, Argentina and Bangladesh.

Symantec observes that Bluebottle's actions seem to be a continuation of the activities of a previously-documented group identified as OPERA1ER by Group-IB researchers.

OPERA1ER activities were observed by Group-IB from mid-2019 to 2021, and the group is believed to have stolen at least $11 million in 30 targeted attacks during that time period.

There are a number of similarities between the tactics, techniques and procedures between the activity observed by Symantec and that reported by Group-IB, including:

Same domain observed in both sets of activity
Use of similar tools, such as Ngrok, RDPWrap, PsExec, Revealer Keylogger and Cobalt Strike Beacon
Both sets of activity used no custom malware
Both targeted French-speaking countries in Africa
Use of industry-specific and region-specific domain names

However, the Symantec observations are more recent, running from at least July 2022 to September 2022, with some activity likely beginning as early as May 2022.

Bluebottle's initial attack vector is unknown, although malicious files with French-language, job-related titles were discovered on victims' networks. The researchers think these files may have served as lures and, in some cases, were named in a way that led users to believe they were downloading a PDF file related to a job.

The most probable attack vector is spear-phishing, which also aligns with the initial vector employed by OPERA1ER.

Symantec first noticed the Bluebottle campaign in July. At that time, at least one victim was found to have been infected with Infostealer malware that dated to mid-May 2022. In that particular case, a ZIP file containing an executable SCR file served as the malware's delivery vehicle.

In July, job-themed malware was discovered in paths that suggested it had been mounted as a CD-ROM. This might imply that a genuine disk was inserted, but it could also indicate that a malicious ISO file was delivered to victims and then mounted.

GuLoader, a shellcode-based downloader with anti-analysis characteristics, was included in the malware package. Before deploying a secondary NSIS script that injects obfuscated shellcode into another process, GuLoader first deploys some legitimate binaries as a decoy for its malicious activity.

The Microsoft-signed malicious driver was used in conjunction with a controlling DLL to kill processes for security software running on the victims' networks.