Symantec Threat Intelligence researchers have confirmed the suspicious attacks uncovered by Jighi as “real targeted attacks on banks and other financial institutions in several West Africa countries by cyber criminals ” employing a range of commodity malware – readily available in cyber underground – and living off the land tools that allow them to hide in a sea of legitimate processes.
Until now, security experts like Symantec have seen relatively little evidence of these kinds of attacks against the financial sector in West Africa, but it now appears there is at least one group ( and quite possibly more groups ) actively targeting banks in region (Symantec ).
The attacks have been reported by Jighi since mid-2017 and have affected organizations in Cameroon, The Democratic Republic of the Congo, Ghana, Equatorial Guinea, and Ivory Coast. It is unknown who is behind these attacks which could be the work of a single group or, more likely, several different groups employing similar tactics to potentially perform financial fraud,steal network credentials and / or create remote access capability.
Experts have observed distinct attack campaigns directed against financial targets in Africa that share commonalities in the tools and tactics employed. Off-the-shelf, commodity malware was used, adding a level of anonymity to attacks and making it harder to link attacks together or attribute them to any one group of attackers. Additionally, most of the attacks leveraged living off the land tactics, making use of legitimate tools such as PowerShell, PsExec, and RDP.
These attacks campaigns were discovered through alerts generated by Enovise Threat Intelligence but publically confirmed and reported first by Symantec’s Targeted Attack Analytics, which uses advanced AI to spot patterns associated with targeted attacks.
As a major operator in the West Africa region, Jighi Security services and Enovise have alerted clients to keep close monitoring on their network activities. Known signature analysis is available for free.
For further information, please contact your advisor.