Exploitation of Open-Source Tools by Cyber Criminals Targeting Financial Institutions Throughout Africa
Cybersecurity researchers have reported a series of cyber attacks targeting financial organizations across Africa since July 2023, utilizing a combination of open-source and publicly accessible tools to maintain persistent access.
Palo Alto Networks Unit 42 is monitoring this activity, designated as CL-CRI-1014, where “CL” denotes “cluster” and “CRI” signifies “criminal motivation.” The primary intent behind these attacks appears to be the acquisition of initial access, subsequently sold to other criminal entities in underground forums, designating the threat actor as an initial access broker (IAB).
Threat actors have been observed replicating signatures from legitimate applications to forge file signatures, thus disguising their toolset to obscure malicious activities. This technique is often employed to spoof legitimate products for nefarious purposes.
The attacks are characterized by the deployment of tools such as PoshC2 for command-and-control (C2) operations, Chisel for tunneling malicious network traffic, and Classroom Spy for remote administration. While the precise methodology for infiltrating target networks remains unclear, once a foothold is established, attack sequences typically involve deploying the MeshCentral Agent along with Classroom Spy to take control of machines, followed by Chisel to circumvent firewalls and disseminate PoshC2 across other compromised Windows hosts.
To evade detection, payloads are masqueraded as legitimate software, utilizing icons from recognized products like Microsoft Teams, Palo Alto Networks Cortex, and Broadcom VMware Tools. PoshC2 is made persistent on compromised systems through three primary methods:
- Establishing a service
- Creating a Windows shortcut (LNK) file in the Startup directory
- Implementing a scheduled task named “Palo Alto Cortex Services”
In certain incidents, threat actors have stolen user credentials to configure a proxy using PoshC2. Researchers noted that PoshC2 can communicate with a C2 server via a proxy, indicating the likelihood that the threat actor customized PoshC2 implants specifically for the environment being targeted.
This is not the first instance of PoshC2 being utilized in attacks on financial services within Africa. An earlier incident in September 2022 detailed a spear-phishing campaign named DangerousSavanna that specifically targeted financial and insurance firms in Ivory Coast, Morocco, Cameroon, Senegal, and Togo, delivering tools such as Metasploit, PoshC2, DWservice, and AsyncRAT.
Additionally, Trustwave SpiderLabs has recently unveiled a new ransomware group, dubbed Dire Wolf, which has already compromised 16 victims across multiple countries, focusing on sectors such as technology, manufacturing, and financial services. Analysis of the Dire Wolf ransomware indicates it is developed in Golang and possesses capabilities to disable system logging, terminate a pre-defined list of services and applications, and impede recovery efforts by deleting shadow copies.
While the initial access and lateral movement techniques utilized by Dire Wolf are currently unknown, it is imperative for organizations to adopt robust security practices and enable monitoring for the techniques elaborated in this analysis.