A signed Windows driver has been used in attacks on banks in French-speaking countries, likely from a threat actor that stole more than $11 million from various banks.
The activity and targets fit the profile of the OPERA1ER hackers that have been attributed at least 35 successful attacks between 2018 and 2020.
The gang is believed to have French-speaking members and to operate from Africa, targeting organizations in the region, although they also hit companies in Argentina, Paraguay, and Bangladesh.
Bluebottle TTPs point to OPERA1ER
In a report today, researchers at Symantec, a division of Broadcom Software, reveal details about the activity of a cybercriminal group they track as Bluebottle that shares significant similarities with the OPERA1ER gang’s tactics, techniques, and procedures (TTPs).
OPERA1ER’s campaigns have been documented by cybersecurity company Group-IB in a lengthy report published in early November 2022, where researchers note the lack of custom malware and the extensive use of readily available tools (open source, commodity, frameworks).
Symantec’s report adds some technical details, such as the use of the GuLoader tool for loading malware and a signed driver (kernel mode) that helps the attacker kill processes for security products running on the victim network.
The researchers say that the malware had two components, “a controlling DLL that reads a list of processes from a third file, and a signed ‘helper’ driver controlled by the first driver and used to terminate the processes in the list.”
It appears that the signed malicious driver has been used by multiple cybercriminal groups to disable defense. Mandiant and Sophos reported it in mid-December in a list that included kernel-mode drivers verified with Authenticode signatures from Microsoft’s Windows Hardware Developer Program.
Source: BleepingComputer
Mandiant tracks the driver as POORTRY, saying that the earliest sign of it was in June 2022 and that it was used with a mix of certificates, some of them stolen and popular among cybercriminals.
The version that Symantec researchers found, although the same driver, was signed with a digital certificate from the Chinese company Zhuhai Liancheng Technology Co., Ltd.
This shows that cybercriminals have providers that can supply legitimate signatures from trusted entities so their malicious tools can pass verification mechanisms and avoid detection.
The researchers note that the same driver was used in activity suspected to lead to a ransomware attack against a non-profit entity in Canada.
Symantec says that the Bluebottle activity they saw was as recent as July 2022, and extended to September. However, it is possible that some of it likely started a few months earlier, in May.
The recent attacks show some new TTPs, as well, which include the use of GuLoader in the initial stages of the attack. Additionally, the researchers saw indications that the threat actor used ISO disk images as an initial infection vector in job-themed spear-phishing.
“However, the job-themed malware in July was observed in paths suggesting it had been mounted as CD-ROMs. This could indicate a genuine disc was inserted, but it could also be that a malicious ISO file was delivered to victims and mounted” – Symantec
Symantec researchers analyzed Bluebottle attacks against three different financial institutions in African countries. In one of them, the threat actor relied on multiple dual-use tools and utilities already available on the system:
Quser for user discovery
Ping for checking internet connectivity
Ngrok for network tunneling
Net localgroup /add for adding users
Fortinet VPN client – likely for a secondary access channel
Xcopy to copy RDP wrapper files
Netsh to open port 3389 in the firewall
The Autoupdatebat ‘Automatic RDP Wrapper installer and updater’ tool to enable multiple concurrent RDP sessions on a system
SC privs to modify SSH agent permissions – this could have been tampering for key theft or installation of another channel
Although the last activity on the victim network was seen in September, the researchers say that the Ngrok tunneling tool was present until November, supporting Group-IB’s finding about OPERA1ER hackers sitting on the compromised networks for long periods (between three to twelve months).
Bluebottle also used malicious tools such as GuLoader, Mimikatz to extract passwords from memory, Reveal Keylogger to record keystrokes, and the Netwire remote access trojan.
The threat actor started manual lateral movement activity about three weeks after the initial compromise, using a command prompt and PsExec.
While the analysis of the attacks and the tools used suggest that OPERA1ER and Bluebottle are the same group, Symantec cannot confirm that the activity they saw had the same monetization success as reported by Group-IB.