Hackers are targeting financial firms in the Ivory Coast, Cameroon, Congo, Ghana and Equatorial Guinea, using commodity malware and living off the land tools, reported Symantec, the cybersecurity company, in a new blog post.
According to the company's Thursday (Jan. 17) blog post, banks and other financial firms in a number of West African countries have been targeted by hackers who are using a variety of the commodity tools to get in. While Symantec said it's not clear who is behind the attacks, it appears to most likely be several different groups using the same tactics. The attacks started around the middle of 2017, impacting banks and financial services companies in Cameroon, Congo (DR), Ghana, Equatorial Guinea and Ivory Coast.
Symantec said it has observed four attack campaigns that specifically target the financial firms in Africa. The first one targeted firms in Ivory Coast and Equatorial Guinea, infecting victims with commodity malware known as NanoCore. Some of the tools that were used in the attacks were similar to the tactics SWIFT warned about in 2017, noted Symantec. The second attack identified by Symantec started in the late part of 2017 and targeted firms in Ivory Coast, Ghana, Congo and Cameroon. The attacks relied on malicious PowerShell scripts to infect computers and used a credential-stealing tool called Mimikatz, reported Symantec. Once in the networks, hackers infected computers with Cobalt Strike, a commodity malware.
Symantec said the third attack targeted firms in Ivory Coast and involved the use of Remote Manipulator System RAT, another commodity malware, along with other tools. In December of 2018, the fourth type of attack was directed at organizations in Ivory Coast. In this attack, Symantec said hackers used Imminent Monitor RAT, an off-the-shelf malware, to infiltrate networks. Symantec said all four attacks were discovered via alerts generated by its Targeted Attack Analytics (TAA).
"A growing number of attackers in recent years are adopting 'living off the land' tactics — namely the use of operating system features or network administration tools to compromise victims' networks. By exploiting these tools, attackers hope to hide in plain sight, since most activity involving these tools is legitimate," wrote Symantec in the blog post. "However, in each case, a TAA alert was triggered by the attackers maliciously using a legitimate tool. In short, the attackers' use of living off the land tactics led to the discovery of their attacks."