- Malware attack campaigns in four countries including Cameroon, Congo (DR), Ghana, Equatorial Guinea, and Ivory Coast, were analyzed.
- Independent researches by experts show that off-the-shelf toolkits are the most preferred option for cybercriminals.
Now, new research has shown that cybercriminals tend to rely on off-the-shelf malware and free hacking tools to conduct attacks across West African banks.
In an exclusive research piece by Symantec, researchers have listed out the most popular tools and methods chosen by attackers. Some of the tools deployed were priced very low. When it came to paid software, penetration testing tool Cobalt Strike took the spotlight.
Four types of attacks
From 2017, a string of cyber attacks was witnessed in the West African region, especially attacks targeting banks. Symantec, which conducted an extensive investigation into the matter, found out that there were four kinds of attacks.
- The first type of attacks were conducted with NanoCore (a commodity malware) and PsExec (a Microsoft Sysinternals tool for remote execution). Banks in Ivory Coast and Equatorial Guinea were the main targets.
- Malicious PowerShell scripts, Mimikatz (hacking tool), UltraVNC (hacking tool) and Cobalt Strike ( pen testing tool) were used in banks across Ivory Coast, Ghana, Congo, and Cameroon.
- Remote Manipulator System RAT, Mimikatz and two custom Remote Desktop Protocol (RDP) tools were used to break into an organization in Ivory Coast. Attackers also had remote access capability.
- Imminent Monitor RAT, a ready-made malware was used to target many banks across Ivory Coast.
"Living off the land" tactics
The attackers behind these incidents were observed to be adopting "living off the land" tactics. Such tactics focus on exploiting operating systems or network administration tools to compromise target networks. This makes it difficult to detect the intrusion since they hide behind legitimate tools.
The researchers stated that the set of incidents studied by them shared common tactics and type of tools. Due to the use of off-the-shelf malware in the attacks, it is more difficult to establish attribution to any threat actor group.
Moreover, until recently, no attacks were observed targeting the financial institutions in the Western African region. This indicates the increasing reach of cybercriminals globally.