Posted: 4 Min ReadThreat Intelligence

West African Financial Institutions Hit by Wave of Attacks

Attackers using commodity malware and living off the land tools against financial targets in Ivory Coast, Cameroon, Congo (DR), Ghana, and Equatorial Guinea.

Banks and other financial institutions in a number of West African countries have been targeted by cyber criminals employing a range of commodity malware and living off the land tools.

The attacks have been underway since at least mid-2017. To date, organizations in Cameroon, Congo (DR), Ghana, Equatorial Guinea, and Ivory Coast have been affected.

Who is behind these attacks remains unknown. They could be the work of a single group or, more likely, several different groups employing similar tactics.

Four types of attacks

Symantec has observed four distinct attack campaigns directed against financial targets in Africa. The first has been underway since at least mid-2017 and has targeted organizations in Ivory Coast and Equatorial Guinea. The attackers infected victims with commodity malware known as NanoCore (Trojan.Nancrat) and were also observed using PsExec, a Microsoft Sysinternals tool used for executing processes on other systems, on infected computers. Lure documents used by the attackers referred to a West African bank which has operations in several countries in the region. Some tools used in these attacks are similar to tools mentioned in a 2017 SWIFT alert, indicating the attackers may have been attempting to perform financial fraud.

The second type of attack began in late 2017 and targeted organizations in Ivory Coast, Ghana, Congo (DR), and Cameroon. The attackers used malicious PowerShell scripts to infect their targets and also used the credential-stealing tool Mimikatz (Hacktool.Mimikatz). They also made use of UltraVNC, an open-source remote administration tool for Microsoft Windows. The attackers then infected computers with the commodity malware known as Cobalt Strike (Trojan.Agentemis) which is capable of opening a backdoor on the computer, communicating with a command and control (C&C) server, and downloading additional payloads. Communication with the C&C server was handled by dynamic DNS infrastructure, which helped shield the location of the attackers.

The third type of attack was directed against an organization in Ivory Coast. This organization had also been targeted by the second campaign. This second attack also involved the use of commodity malware, in this case the Remote Manipulator System RAT (Backdoor.Gussdoor), alongside Mimikatz and two custom Remote Desktop Protocol (RDP) tools. Since Mimikatz can be used to harvest credentials and RDP allows for remote connections to computers, it’s likely the attackers wanted additional remote access capability and were interested in moving laterally across the victim’s network.

The fourth type of attack began in December 2018 and was directed against organizations in Ivory Coast. The attackers used off-the-shelf malware known as Imminent Monitor RAT (Infostealer.Hawket).

How the attacks were uncovered

All four attack types were first discovered through alerts generated by Symantec’s Targeted Attack Analytics (TAA). TAA leverages advanced artificial intelligence to analyze Symantec’s data lake of telemetry in order to spot patterns associated with targeted attacks.

A growing number of attackers in recent years are adopting “living off the land” tactics—namely the use of operating system features or network administration tools to compromise victims' networks. By exploiting these tools, attackers hope to hide in plain sight, since most activity involving these tools is legitimate. However, in each case, a TAA alert was triggered by the attackers maliciously using a legitimate tool. In short, the attackers' use of living off the land tactics led to the discovery of their attacks.

Common threads

Whether the attacks were the work of one or more groups remains unknown. However, they share some commonalities in terms of the tools and tactics employed. Any malware used was off-the-shelf, commodity malware: Cobalt Strike, Imminent Monitor RAT, NanoCore RAT, Remote Manipulator System RAT, and Mimikatz.

Additionally, most of the attacks leveraged living off the land tactics, making use of tools such as PowerShell, PsExec, UltraVNC, and RDP.

Commodity malware is readily available on the cyber underground. While it may not be as powerful or stealthy as custom-developed tools, it does add a certain level of anonymity to attacks, making it harder to link attacks together and attribute them to any one group of attackers.

Globalization of cyber crime

Until now, Symantec has seen relatively little evidence of these kinds of attacks against the financial sector in West Africa. However, it now appears that there is at least one (and quite possibly more) groups actively targeting banks in the region.

Protection/Mitigation

Symantec has the following protection in place to protect customers against these attacks:

File-based protection

Indicators of Compromise

The following list of indicators of compromise is related to African banking attacks. It is likely that these indicators are used by multiple different actors.

The first attack type

Files 

MD5SHA256Description
24015acd155ec7305805dbdff1dd074d 80a2576c3148ba5123aa016bf01e72bba53995b172dd263ab2071fad1c9d548d Trojan.Nancrat (Nanocore)
4d49e578d359185324acda70a2880dd5 21c87bcccf7e5c164da7c94772ef71a065a862f9ce32341a38eb39ffb7804305 Trojan.Nancrat (Nanocore)
64b88486170e5cb890a7486965a90e84 dab1953b9135a9bf0c5ffe86b87ab9a9c6fa34482004aa8bb2bf7ea8d72c8c62 Trojan.Nancrat (Nanocore)
a8372b48280c6ee5b225f8ccd3cf4814 53f8afe36e562c92140f4f8fa1f8ffce9e1f48b1eaff96bd6ab4b03646b97dc3 Trojan.Nancrat (Nanocore)
8dd3e20fe9770843bc2c9b2523a7cfb2 8fe18a768769342be49ac33d2ba0653ba7f105a503075231719c376b6ded8846 JavaScript downloader
470cdc0ea9caed534b14bd5e195d19e8 5f456a55f18bf183a7c988617787a041b90e8ecbeed8a01c583597b3fd19b42e JavaScript downloader
605e99ea7dc4e73ae2af59cfb03360ec ce58546eebd3c8e218b1db19c9c7b5ffe086ee814aab0e891061f8cba954b14d JavaScript downloader
e8828b155567e587fbeca9069289e0d9 3b7cc16fa5c5a78f0d1816d09a71b835f589de842b20e8c96c7084b9b0a89ff3 Trojan.Nancrat (Nanocore)

Infrastructure

Domain
nemesis225.ddns.net

The second attack type

Files

MD5SHA256Description
48aa8247b840cc5bf6603972970be279 04f3a52fa8ae1a3af6c965f7c3a4655a98c3c8e1b3d3ffa9e4948bded6ed67d3 Silently installs UltraVNC as a backdoor
c29b2a8249f9ef6adfc9625a2f09207b 74456c52a6d02c06567c0ecf871a15aff25b2204374a62bbb2d5dd027d999fb9 Trojan.Agentemis (Cobalt Strike)
dffdbe7c37216566b73f45547e95c907 28595218d1e6536df5ff53d90e5608f11751ddc2e7585a12bb041d8e9b31e550 Trojan.Agentemis (Cobalt Strike)
0e006ca75884ad69529d8bfb5871a0da bc10d67886829d08e0241ad9c543e625df3f5443df0e7fbead9ca4f03081f71e Shellcode downloader
6ea6b4affcfb54fde3cb753283159018 8039284cd3c4306225f8f7494544de1699637c59bec4b1d1b4e01fc893f5b0d8 Remote access tool
fee97320cd9a9848922b01c32a41cdd4 56e6f061c8424a70e796cf6a2a6d6fbbd691431cfa0aeed186cc50177831e5d9 Remote access tool
4acbde841b82fd7203e55ac83aa7c1fe 0b038ee8dca1a0f5f9453303542ff2cddbbca2458fdf36b09a6756d4e5b0fec9 Trojan.Agentemis (Cobalt Strike)

 Infrastructure

Domain
moneygram.servehttp.com

The third attack type

Files

MD5SHA256Description
97034d8a97b967b2f18a867b411552f7 6bfc1ec16f3bd497613f57a278188ff7529e94eb48dcabf81587f7c275b3e86d Mimikatz
332a5371389a8953a96bf09b69edcb6e e46ba4bdd4168a399ee5bc2161a8c918095fa30eb20ac88cac6ab1d6dbea2b4a Mimikatz
8184f24a4f4ff4438dba050b2e3d1af7 c1993735265f4274b81a6edf789e0245f2f7f5ee78f4172101728a324cdd3d2d Backdoor.Gussdoor (Remote Manipulator System)

The fourth attack type

Files

MD5SHA256Description
49ae7d13f43bb04ed31d593787d4e17e 06fe2b7ff6af10cd0ec8395490567f8a0f66d8e083a72f57f18e9ad74dfff727 Infostealer.Hawket (Imminent Monitor)
75e5594c6882704ea2889e3fd758cbbf 6eb3281f5a80223a5b58af20d415453a9013a487c89d89cd7658bb7451902548 Infostealer.Hawket (Imminent Monitor)

Infrastructure

Domain
noreply377.ddns.net

About the Author

Security Response Attack Investigation Team

The Attack Investigation Team is a group of security experts within Symantec Security Response whose mission is to investigate targeted attacks, drive enhanced protection in Symantec products, and offer analysis which helps customers respond to attacks.