Employing ‘living off the land’ tactics and generic malware, an unidentified hacker group is reported to have attacked financial institutions of West Africa. ‘Living off the land’ tactics make use of legitimate network administration tools or operating system features to gain unauthorized access to the targets’ networks.
The hackers attacked the organizations based in Equatorial Guinea, Cameroon, Ivory Coast, Congo (DR) and Ghana. Notably, the attack was from 2017 and the latest one is reported to be in December 2018.
A total of four different attack campaigns which compromised the network of various West African financial institutions have been observed by the security researchers at Symantec.
Four Variants of Attack
In the first attack campaign, hackers made use of infected word documents which belonged to West African bank. The victims were attacked via Nanocore malware which was executed through the Microsoft Sysinternals tool PsExec on victims’ devices.
The second attack campaign made use of a hacking tool known as Mimikatz, a malware called Cobalt Strike and a remote administration tool named UltraVNC.
Referencing from the report by Symantec, the hackers employed PowerShell scripts to corrupt networks by the attacks which they probably executed in late 2017, they used Mimikatz for credential surfing and for remote administration they resorted to UltraVNC. Besides, Cobalt Strike was employed for backdooring and to secure a connection with the C&C server in order to download additional playloads.
The third variant of attack involved usage of Remote Manipulator System R AT, hacking tool – Mimikatz and RDP (Remote Desktop Protocol). This variant of attack targeted organizations based in Ivory Coast, hackers stole the credentials through Remote Manipulator System RAT and Mimikatz tool which allowed them to establish a remote desktop connection.
The fourth variant of the attack employed stealer Imminent Monitor RAT, it dealt with stealing information from compromised computers and downloading additional malware. It is reported to have originated in the month of December, last year.