Cybercriminals are using a combination of hacking techniques to target financial institutions throughout West Africa, according to research published Thursday by Symantec.
Firms in Cameroon, Congo, Ghana, Equatorial Guinea and Ivory Coast have been hit with cyberattacks that combine known forms of malicious software with “living off the land” techniques to infiltrate organizations. “Living off the land” is industry jargon that refers to hackers’ exploitation of otherwise benign tools already installed on a computer. In this case, attackers used PowerShell scripts, remote desktop protocols and Microsoft administration tools in gaining access to their targets, researchers found.
Symantec identified four types of such cyberattacks but did not attribute them to any specific hacking group. Instead it described the research as an example the globalization of cybercrime.
“Until now, Symantec has seen relatively little evidence of these kinds of attacks against the financial sector,” the company said in a blog post. “However, it now appears that there is at least one (and quite possibly more) groups actively targeting banks in the region.”
In one attack that began in late 2017, cybercriminals combined the Mimikatz malware, a hacking tool for stealing credentials, with the use of UltraVNC, an open-source tool for Windows, to attack firms in Ivory Ghost, Ghana, Congo and Cameroon. Thieves then used the Cobalt Strike malware to open a backdoor on affected computers and download other software, Symantec said.
This kind of one-two punch of leveraging known viruses combined with the seemingly innocuous UltraVNC makes it more difficult for security teams to detect when they have been breached, Symantec said.
“By exploiting these tools, attackers hope to hide in plain sight, since most activity involving these tools is legitimate,” the company blog noted.
Another attack against a target in Ivory Coast combined Mimikatz with a remote access tool and two custom remote desktop protocol tools, which allow users to connect with other computers.
“Since Mimikatz can be used to harvest credentials and RDP allowed for remote connections to computers, it’s likely the attackers wanted additional remote access capability and were interested in moving laterally across the victim’s networks,” Symantec said.
The company did not identify the targeted organizations.