West African Financial Institutions Hit by Wave of Attacks
Attackers using commodity malware and living off the land tools against financial targets in Ivory Coast, Cameroon, Congo (DR), Ghana, and Equatorial Guinea.
Banks and other financial institutions in a number of West African countries have been targeted by cyber criminals employing a range of commodity malware and living off the land tools.
The attacks have been underway since at least mid-2017. To date, organizations in Cameroon, Congo (DR), Ghana, Equatorial Guinea, and Ivory Coast have been affected.
Who is behind these attacks remains unknown. They could be the work of a single group or, more likely, several different groups employing similar tactics.
Four types of attacks
Symantec has observed four distinct attack campaigns directed against financial targets in Africa. The first has been underway since at least mid-2017 and has targeted organizations in Ivory Coast and Equatorial Guinea. The attackers infected victims with commodity malware known as NanoCore (Trojan.Nancrat) and were also observed using PsExec, a Microsoft Sysinternals tool used for executing processes on other systems, on infected computers. Lure documents used by the attackers referred to a West African bank which has operations in several countries in the region. Some tools used in these attacks are similar to tools mentioned in a 2017 SWIFT alert, indicating the attackers may have been attempting to perform financial fraud.
The second type of attack began in late 2017 and targeted organizations in Ivory Coast, Ghana, Congo (DR), and Cameroon. The attackers used malicious PowerShell scripts to infect their targets and also used the credential-stealing tool Mimikatz (Hacktool.Mimikatz). They also made use of UltraVNC, an open-source remote administration tool for Microsoft Windows. The attackers then infected computers with the commodity malware known as Cobalt Strike (Trojan.Agentemis) which is capable of opening a backdoor on the computer, communicating with a command and control (C&C) server, and downloading additional payloads. Communication with the C&C server was handled by dynamic DNS infrastructure, which helped shield the location of the attackers.
The third type of attack was directed against an organization in Ivory Coast. This organization had also been targeted by the second campaign. This second attack also involved the use of commodity malware, in this case the Remote Manipulator System RAT (Backdoor.Gussdoor), alongside Mimikatz and two custom Remote Desktop Protocol (RDP) tools. Since Mimikatz can be used to harvest credentials and RDP allows for remote connections to computers, it’s likely the attackers wanted additional remote access capability and were interested in moving laterally across the victim’s network.
The fourth type of attack began in December 2018 and was directed against organizations in Ivory Coast. The attackers used off-the-shelf malware known as Imminent Monitor RAT (Infostealer.Hawket).
How the attacks were uncovered
All four attack types were first discovered through alerts generated by Symantec’s Targeted Attack Analytics (TAA). TAA leverages advanced artificial intelligence to analyze Symantec’s data lake of telemetry in order to spot patterns associated with targeted attacks.
A growing number of attackers in recent years are adopting “living off the land” tactics—namely the use of operating system features or network administration tools to compromise victims' networks. By exploiting these tools, attackers hope to hide in plain sight, since most activity involving these tools is legitimate. However, in each case, a TAA alert was triggered by the attackers maliciously using a legitimate tool. In short, the attackers' use of living off the land tactics led to the discovery of their attacks.
Common threads
Whether the attacks were the work of one or more groups remains unknown. However, they share some commonalities in terms of the tools and tactics employed. Any malware used was off-the-shelf, commodity malware: Cobalt Strike, Imminent Monitor RAT, NanoCore RAT, Remote Manipulator System RAT, and Mimikatz.
Additionally, most of the attacks leveraged living off the land tactics, making use of tools such as PowerShell, PsExec, UltraVNC, and RDP.
Commodity malware is readily available on the cyber underground. While it may not be as powerful or stealthy as custom-developed tools, it does add a certain level of anonymity to attacks, making it harder to link attacks together and attribute them to any one group of attackers.
Globalization of cyber crime
Until now, Symantec has seen relatively little evidence of these kinds of attacks against the financial sector in West Africa. However, it now appears that there is at least one (and quite possibly more) groups actively targeting banks in the region.
Protection/Mitigation
Symantec has the following protection in place to protect customers against these attacks:
File-based protection
Indicators of Compromise
The following list of indicators of compromise is related to African banking attacks. It is likely that these indicators are used by multiple different actors.
The first attack type
Files
| MD5 | SHA256 | Description |
|---|---|---|
| 24015acd155ec7305805dbdff1dd074d | 80a2576c3148ba5123aa016bf01e72bba53995b172dd263ab2071fad1c9d548d | Trojan.Nancrat (Nanocore) |
| 4d49e578d359185324acda70a2880dd5 | 21c87bcccf7e5c164da7c94772ef71a065a862f9ce32341a38eb39ffb7804305 | Trojan.Nancrat (Nanocore) |
| 64b88486170e5cb890a7486965a90e84 | dab1953b9135a9bf0c5ffe86b87ab9a9c6fa34482004aa8bb2bf7ea8d72c8c62 | Trojan.Nancrat (Nanocore) |
| a8372b48280c6ee5b225f8ccd3cf4814 | 53f8afe36e562c92140f4f8fa1f8ffce9e1f48b1eaff96bd6ab4b03646b97dc3 | Trojan.Nancrat (Nanocore) |
| 8dd3e20fe9770843bc2c9b2523a7cfb2 | 8fe18a768769342be49ac33d2ba0653ba7f105a503075231719c376b6ded8846 | JavaScript downloader |
| 470cdc0ea9caed534b14bd5e195d19e8 | 5f456a55f18bf183a7c988617787a041b90e8ecbeed8a01c583597b3fd19b42e | JavaScript downloader |
| 605e99ea7dc4e73ae2af59cfb03360ec | ce58546eebd3c8e218b1db19c9c7b5ffe086ee814aab0e891061f8cba954b14d | JavaScript downloader |
| e8828b155567e587fbeca9069289e0d9 | 3b7cc16fa5c5a78f0d1816d09a71b835f589de842b20e8c96c7084b9b0a89ff3 | Trojan.Nancrat (Nanocore) |
Infrastructure
| Domain |
|---|
| nemesis225.ddns.net |
The second attack type
Files
| MD5 | SHA256 | Description |
|---|---|---|
| 48aa8247b840cc5bf6603972970be279 | 04f3a52fa8ae1a3af6c965f7c3a4655a98c3c8e1b3d3ffa9e4948bded6ed67d3 | Silently installs UltraVNC as a backdoor |
| c29b2a8249f9ef6adfc9625a2f09207b | 74456c52a6d02c06567c0ecf871a15aff25b2204374a62bbb2d5dd027d999fb9 | Trojan.Agentemis (Cobalt Strike) |
| dffdbe7c37216566b73f45547e95c907 | 28595218d1e6536df5ff53d90e5608f11751ddc2e7585a12bb041d8e9b31e550 | Trojan.Agentemis (Cobalt Strike) |
| 0e006ca75884ad69529d8bfb5871a0da | bc10d67886829d08e0241ad9c543e625df3f5443df0e7fbead9ca4f03081f71e | Shellcode downloader |
| 6ea6b4affcfb54fde3cb753283159018 | 8039284cd3c4306225f8f7494544de1699637c59bec4b1d1b4e01fc893f5b0d8 | Remote access tool |
| fee97320cd9a9848922b01c32a41cdd4 | 56e6f061c8424a70e796cf6a2a6d6fbbd691431cfa0aeed186cc50177831e5d9 | Remote access tool |
| 4acbde841b82fd7203e55ac83aa7c1fe | 0b038ee8dca1a0f5f9453303542ff2cddbbca2458fdf36b09a6756d4e5b0fec9 | Trojan.Agentemis (Cobalt Strike) |
Infrastructure
| Domain |
|---|
| moneygram.servehttp.com |
The third attack type
Files
| MD5 | SHA256 | Description |
|---|---|---|
| 97034d8a97b967b2f18a867b411552f7 | 6bfc1ec16f3bd497613f57a278188ff7529e94eb48dcabf81587f7c275b3e86d | Mimikatz |
| 332a5371389a8953a96bf09b69edcb6e | e46ba4bdd4168a399ee5bc2161a8c918095fa30eb20ac88cac6ab1d6dbea2b4a | Mimikatz |
| 8184f24a4f4ff4438dba050b2e3d1af7 | c1993735265f4274b81a6edf789e0245f2f7f5ee78f4172101728a324cdd3d2d | Backdoor.Gussdoor (Remote Manipulator System) |
The fourth attack type
Files
| MD5 | SHA256 | Description |
|---|---|---|
| 49ae7d13f43bb04ed31d593787d4e17e | 06fe2b7ff6af10cd0ec8395490567f8a0f66d8e083a72f57f18e9ad74dfff727 | Infostealer.Hawket (Imminent Monitor) |
| 75e5594c6882704ea2889e3fd758cbbf | 6eb3281f5a80223a5b58af20d415453a9013a487c89d89cd7658bb7451902548 | Infostealer.Hawket (Imminent Monitor) |
Infrastructure
| Domain |
|---|
| noreply377.ddns.net |
