Attacks hitting financial organizations in West Africa since at least mid-2017 rely on off-the-shelf malware, free hacking tools, and utilities already available on the target systems to steal credentials, install backdoors, and run commands.
Researchers observed four attack campaigns targeting institutions in Cameroon, Congo (DR), Ghana, Equatorial Guinea, and Ivory Coast. Some of the tools used cost as little as $25, although the use of the more expensive commercial penetration testing tool Cobalt Strike was also observed.
NanoCore trojan and PsExec
In one of the attacks, the threat actor used NanoCore trojan along with PsExec, a legitimate network administration tool, and delivered the malware via phishing emails.
Researchers part of Symantec’s Targeted Attacks Investigation Team say that this attack has been underway since at least mid-2017.
To lure the victim into installing the malware, the attacker used documents referring to a West African bank. The targets were in Ivory Coast and
The author of NanoCore was arrested in early 2017 and sentenced to 33 months in prison and two years of supervised release. He advertised the remote access trojan (RAT) on a hacker forum between 2014 and 2016 and then sold it to an unknown party.
Cobalt Strike, PowerShell scripts, and free tools
Another attack began in late 2017 and hit victims in Ivory Coast, Ghana, Congo (DR), and Cameroon. It combined malicious PowerShell scripts with Mimikatz, a hacking tool designed to steal credentials, and UltraVNC open-source software for remote administration.
The researchers say that Cobalt Strike was also employed to set a backdoor on the compromised system and to communicate with a command and control (C2) server.
The attackers also used a dynamic DNS service to hide their location by assigning a custom domain name to the IP address of the C2 server.
Mimikatz and custom RDP
In a third incident observed by the researchers, the intruders relied on Mimikatz, two custom remote desktop control tools, and the Remote Manipulator System (RMS) RAT.
“Since Mimikatz can be used to harvest credentials and RDP allows for remote connections to computers, it’s likely the attackers wanted additional remote access capability and were interested in moving laterally across the victim’s network,” say the researchers in a report shared with internetnewsblog.
A fourth attack started in December 2018 against a target in Ivory Coast and used the Imminent Monitor RAT.
None of the tools are new
It is worth noting that none of the tools used in these attacks are new or hard to come by. RMS, for instance, was discovered around 2011, while Imminent Monitor RAT is known since 2015. Also, tutorials teaching about how to configure and use them abound on video-sharing websites.
Cobalt Strike is notorious for being used by the Cobalt/Carbanak bank robbers, who use it to build custom malware. The group ran over 100 hacks in more than 40 countries and stole in excess of 1 billion euros.
“A growing number of attackers in recent years are adopting “living off the land” tactics—namely the use of operating system features or network administration tools to compromise victims’ networks. By exploiting these tools, attackers hope to hide in plain sight, since most activity involving these tools is legitimate,” Symantec concludes.