Bluebottle, a cyber-crime group that specializes in targeted attacks against the financial sector, is continuing to mount attacks on banks in Francophone countries. The group makes extensive use of living off the land, dual-use tools, and commodity malware, with no custom malware deployed in this campaign.
The activity observed by Symantec, a division of Broadcom Software, appears to be a continuation of activity documented in a Group-IB report from November 2022. The activity documented by Group-IB spanned from mid-2019 to 2021, and it said that during that period this group, which it called OPERA1ER, stole at least $11 million in the course of 30 targeted attacks.
Similarities in the tactics, techniques, and procedures (TTPs) between the activity documented by Group-IB and the activity seen by Symantec include:
- Same domain seen in both sets of activity: personnel[.]bdm-sa[.]fr
- Some of the same tools used: Ngrok; PsExec; RDPWrap; Revealer Keylogger; Cobalt Strike Beacon
- No custom malware found in either set of activity
- The crossover in targeting of French-speaking nations in Africa
- Both sets of activity also feature the use of industry-specific, and region-specific, domain names
While this does appear to be a continuation of the activity documented by Group-IB, the activity seen by Symantec is more recent, running from at least July 2022 to September 2022, though some of the activity may have begun as far back as May 2022. Some new TTPs have also been employed in recent attacks, including:
- Some indications the attackers may have used ISO files as an initial infection vector
- The use of the commodity malware GuLoader in the initial stages of the attack
- Indications the attackers have adopted the technique of abusing kernel drivers to disable defenses
