Security researchers at Symantec today detailed a new cybercrime group that’s actively targeting the financial sector in Francophone countries in Africa.
Dubbed “Bluebottle,” the group is said to make extensive use of Living off the Land, dual-use tools and commodity malware, with no custom malware deployed. A LotL attack is a cyberattack where intruders use legitimate software and functions available in a system to perform malicious actions on it, the term coming from surviving on what can be foraged, hunted or grown in nature.
The activities of Bluebottle are believed to be linked to a previous group identified as OPERA1ER, which was active from mid-2019 to 2021. OPERA1ER is believed to have stolen at least $11 million over the course of 30 targeted attacks.
The initial attack vector used by Bluebottle is unknown, but malicious files found on victim networks had French-language, job-themed file names. The researchers believe that these files may have acted as lures and, in some cases, were named to trick users into thinking the file was a job-related PDF file. Spear-phishing is suspected as the likely attack vector, which also aligns with the initial vector previously used by OPERA1ER.
Bluebottle’s campaign was first observed by Symantec’s researchers in July, with at least one victim found to have been infected by infostealer malware that dated to mid-May 2022.
While noting that the group is using generic, off-the-shelf malware, the researchers found that the job-themed malware was observed in paths suggesting it had been mounted as CD-ROMs. This could indicate that the infection vector was through physical media or that the malicious file came as an ISO file and was mounted on the victim’s computer.
The delivered malware included GuLoader, a shellcode-based downloader with anti-analysis features. The loader deploys some legitimate binaries as a decoy for its malicious activity before deploying a secondary NSIS script that injects obfuscated shellcode into another process.
Another set of malware deployed by the group was also found to have the likely goal of disabling the security protocols on victim networks. The malware consisted of a controlling DLL that reads a list of processes and a signed “helper” driver used to terminate processes on the list.
The end game of Bluebottle is believed to be persistence and credential theft. Victims have been identified in three African nations, along with an attack on a nonprofit organization in Canada.
“The effectiveness of its campaigns means that Bluebottle is unlikely to stop this activity,” the researchers conclude. “It appears to be very focused on Francophone countries in Africa, so financial institutions in these countries should remain on high alert.”
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.