West African Financial Institutions Hit by Wave of Attacks

Attackers using commodity malware and living off the land tools against financial targets in Ivory Coast, Cameroon, Congo (DR), Ghana, and Equatorial Guinea.

Banks and other financial institutions in a number of West African countries have been targeted by cyber criminals employing a range of commodity malware and living off the land tools.

The attacks have been underway since at least mid-2017. To date, organizations in Cameroon, Congo (DR), Ghana, Equatorial Guinea, and Ivory Coast have been affected.

Who is behind these attacks remains unknown. They could be the work of a single group or, more likely, several different groups employing similar tactics.

Four types of attacks

Symantec has observed four distinct attack campaigns directed against financial targets in Africa. The first has been underway since at least mid-2017 and has targeted organizations in Ivory Coast and Equatorial Guinea. The attackers infected victims with commodity malware known as NanoCore (Trojan.Nancrat) and were also observed using PsExec, a Microsoft Sysinternals tool used for executing processes on other systems, on infected computers. Lure documents used by the attackers referred to a West African bank which has operations in several countries in the region. Some tools used in these attacks are similar to tools mentioned in a 2017 SWIFT alert, indicating the attackers may have been attempting to perform financial fraud.

The second type of attack began in late 2017 and targeted organizations in Ivory Coast, Ghana, Congo (DR), and Cameroon. The attackers used malicious PowerShell scripts to infect their targets and also used the credential-stealing tool Mimikatz (Hacktool.Mimikatz). They also made use of UltraVNC, an open-source remote administration tool for Microsoft Windows. The attackers then infected computers with the commodity malware known as Cobalt Strike (Trojan.Agentemis) which is capable of opening a backdoor on the computer, communicating with a command and control (C&C) server, and downloading additional payloads. Communication with the C&C server was handled by dynamic DNS infrastructure, which helped shield the location of the attackers.

The third type of attack was directed against an organization in Ivory Coast. This organization had also been targeted by the second campaign. This second attack also involved the use of commodity malware, in this case the Remote Manipulator System RAT (Backdoor.Gussdoor), alongside Mimikatz and two custom Remote Desktop Protocol (RDP) tools. Since Mimikatz can be used to harvest credentials and RDP allows for remote connections to computers, it’s likely the attackers wanted additional remote access capability and were interested in moving laterally across the victim’s network.

The fourth type of attack began in December 2018 and was directed against organizations in Ivory Coast. The attackers used off-the-shelf malware known as Imminent Monitor RAT (Infostealer.Hawket).

West African Financial Institutions Hit by Wave of Attacks

How the attacks were uncovered

All four attack types were first discovered through alerts generated by Symantec’s Targeted Attack Analytics (TAA). TAA leverages advanced artificial intelligence to analyze Symantec’s data lake of telemetry in order to spot patterns associated with targeted attacks.

A growing number of attackers in recent years are adopting “living off the land” tactics—namely the use of operating system features or network administration tools to compromise victims' networks. By exploiting these tools, attackers hope to hide in plain sight, since most activity involving these tools is legitimate. However, in each case, a TAA alert was triggered by the attackers maliciously using a legitimate tool. In short, the attackers' use of living off the land tactics led to the discovery of their attacks.

Common threads

Whether the attacks were the work of one or more groups remains unknown. However, they share some commonalities in terms of the tools and tactics employed. Any malware used was off-the-shelf, commodity malware: Cobalt Strike, Imminent Monitor RAT, NanoCore RAT, Remote Manipulator System RAT, and Mimikatz.

Additionally, most of the attacks leveraged living off the land tactics, making use of tools such as PowerShell, PsExec, UltraVNC, and RDP.

Commodity malware is readily available on the cyber underground. While it may not be as powerful or stealthy as custom-developed tools, it does add a certain level of anonymity to attacks, making it harder to link attacks together and attribute them to any one group of attackers.

Globalization of cyber crime

Until now, Symantec has seen relatively little evidence of these kinds of attacks against the financial sector in West Africa. However, it now appears that there is at least one (and quite possibly more) groups actively targeting banks in the region.

Protection/Mitigation

Symantec has the following protection in place to protect customers against these attacks:

File-based protection

Indicators of Compromise

The following list of indicators of compromise is related to African banking attacks. It is likely that these indicators are used by multiple different actors.

The first attack type

Files 

MD5SHA256Description
24015acd155ec7305805dbdff1dd074d80a2576c3148ba5123aa016bf01e72bba53995b172dd263ab2071fad1c9d548dTrojan.Nancrat (Nanocore)
4d49e578d359185324acda70a2880dd521c87bcccf7e5c164da7c94772ef71a065a862f9ce32341a38eb39ffb7804305Trojan.Nancrat (Nanocore)
64b88486170e5cb890a7486965a90e84dab1953b9135a9bf0c5ffe86b87ab9a9c6fa34482004aa8bb2bf7ea8d72c8c62Trojan.Nancrat (Nanocore)
a8372b48280c6ee5b225f8ccd3cf481453f8afe36e562c92140f4f8fa1f8ffce9e1f48b1eaff96bd6ab4b03646b97dc3Trojan.Nancrat (Nanocore)
8dd3e20fe9770843bc2c9b2523a7cfb28fe18a768769342be49ac33d2ba0653ba7f105a503075231719c376b6ded8846JavaScript downloader
470cdc0ea9caed534b14bd5e195d19e85f456a55f18bf183a7c988617787a041b90e8ecbeed8a01c583597b3fd19b42eJavaScript downloader
605e99ea7dc4e73ae2af59cfb03360ecce58546eebd3c8e218b1db19c9c7b5ffe086ee814aab0e891061f8cba954b14dJavaScript downloader
e8828b155567e587fbeca9069289e0d93b7cc16fa5c5a78f0d1816d09a71b835f589de842b20e8c96c7084b9b0a89ff3Trojan.Nancrat (Nanocore)

Infrastructure

Domain
nemesis225.ddns.net

The second attack type

Files

MD5SHA256Description
48aa8247b840cc5bf6603972970be27904f3a52fa8ae1a3af6c965f7c3a4655a98c3c8e1b3d3ffa9e4948bded6ed67d3Silently installs UltraVNC as a backdoor
c29b2a8249f9ef6adfc9625a2f09207b74456c52a6d02c06567c0ecf871a15aff25b2204374a62bbb2d5dd027d999fb9Trojan.Agentemis (Cobalt Strike)
dffdbe7c37216566b73f45547e95c90728595218d1e6536df5ff53d90e5608f11751ddc2e7585a12bb041d8e9b31e550Trojan.Agentemis (Cobalt Strike)
0e006ca75884ad69529d8bfb5871a0dabc10d67886829d08e0241ad9c543e625df3f5443df0e7fbead9ca4f03081f71eShellcode downloader
6ea6b4affcfb54fde3cb7532831590188039284cd3c4306225f8f7494544de1699637c59bec4b1d1b4e01fc893f5b0d8Remote access tool
fee97320cd9a9848922b01c32a41cdd456e6f061c8424a70e796cf6a2a6d6fbbd691431cfa0aeed186cc50177831e5d9Remote access tool
4acbde841b82fd7203e55ac83aa7c1fe0b038ee8dca1a0f5f9453303542ff2cddbbca2458fdf36b09a6756d4e5b0fec9Trojan.Agentemis (Cobalt Strike)

 Infrastructure

Domain
moneygram.servehttp.com

The third attack type

Files

MD5SHA256Description
97034d8a97b967b2f18a867b411552f76bfc1ec16f3bd497613f57a278188ff7529e94eb48dcabf81587f7c275b3e86dMimikatz
332a5371389a8953a96bf09b69edcb6ee46ba4bdd4168a399ee5bc2161a8c918095fa30eb20ac88cac6ab1d6dbea2b4aMimikatz
8184f24a4f4ff4438dba050b2e3d1af7c1993735265f4274b81a6edf789e0245f2f7f5ee78f4172101728a324cdd3d2dBackdoor.Gussdoor (Remote Manipulator System)

The fourth attack type

Files

MD5SHA256Description
49ae7d13f43bb04ed31d593787d4e17e06fe2b7ff6af10cd0ec8395490567f8a0f66d8e083a72f57f18e9ad74dfff727Infostealer.Hawket (Imminent Monitor)
75e5594c6882704ea2889e3fd758cbbf6eb3281f5a80223a5b58af20d415453a9013a487c89d89cd7658bb7451902548Infostealer.Hawket (Imminent Monitor)

Infrastructure

Domain
noreply377.ddns.net

Explore Upcoming Events

Find experts in the wild

See what's next