Symantec researchers report details about the activities of a cybercrime group they track as Bluebottle, revealing significant similarities to the TTP gang OPERA1ER.
As the researchers found out, Bluebottle hackers used a signed Windows driver to attack banks in French-speaking countries. At the same time, the actions and goals correspond to the OPERA1ER profile, which were attributed to at least 35 successful attacks in the period from 2018 to 2020.
Back in early November 2022, Group-IB presented an extensive report on the results of the analysis of the documented OPERA1ER campaigns, in which the researchers noted the absence of specialized malware and the widespread use of available tools.
It is believed that the group includes French-speaking members and operates from Africa, targeting organizations in the region, also striking companies in Argentina, Paraguay and Bangladesh.
The results of Symantec's work allowed us to shed light on some technical details, including the use of the GuLoader tool to download malware and a signed driver, and the neutralization of protection tools in the victim's network.
The researchers note that the malware consisted of two components: a control DLL that reads the list of processes from the third file, and a signed "auxiliary" driver controlled by the first driver and used to terminate the processes in the list.
At the same time, Symantec believes that a signed malicious driver was used by several groups of cybercriminals to disable protection, as Microsoft, Mandiant, Sophos and SentinelOne reported in December.
The sample discovered by Symantec researchers, although it is the same driver, was signed with a digital certificate of the Chinese company Zhuhai Liancheng Technology Co., Ltd, which indicates that the actors have access to providers who can provide legitimate signatures from trusted persons.
The researchers note that the same driver was used as part of a ransomware attack on a non-profit organization in Canada.
Symantec reports that the Bluebottle activity they observed began in July 2022 and lasted until September, but could be fixed in May.
Recent attacks also show some new TTP that involve the use of GuLoader in the initial stages of the attack. In addition, the researchers found signs that the attacker used ISO disk images as the initial vector of infection in targeted phishing on the topic of work.
Symantec researchers analyzed Bluebottle attacks on three different financial institutions in African countries.
In one of them, the attacker relied on several dual-purpose tools and utilities already available in the system (Quser, ping, Ngrok, Net localgroup, Fortinet VPN client, Xcopy, Netsh, Autoupdatebat 'Automatic RDP Wrapper installer and updater' and SC privileges to change SSH agent permissions).
Bluebottle also used malicious tools: GuLoader, Mimikatz, Reveal Keylogger and the Netwire remote access Trojan.
The attacker started the manual lateral movement about three weeks after the initial compromise, using the command line and PsExec.
Although the analysis of the attacks and the tools used suggests that OPERA1ER and Bluebottle represent the same group, however, Symantec does not confirm the scale of monetization noted by Group-IB.