[Nulled] » Information security » Symantec researchers report details about the activities of a cybercrime group they track as Bluebottle
January 16 2023

Symantec researchers report details about the activities of a

web3 16-01-2023, 12:38 Information security 166

Symantec researchers report details about the activities of a cybercrime group they track as Bluebottle, revealing significant similarities to the TTP gang OPERA1ER.

As the researchers found out, Bluebottle hackers used a signed Windows driver to attack banks in French-speaking countries. At the same time, the actions and goals correspond to the OPERA1ER profile, which were attributed to at least 35 successful attacks in the period from 2018 to 2020.

Back in early November 2022, Group-IB presented an extensive report on the results of the analysis of the documented OPERA1ER campaigns, in which the researchers noted the absence of specialized malware and the widespread use of available tools.

It is believed that the group includes French-speaking members and operates from Africa, targeting organizations in the region, also striking companies in Argentina, Paraguay and Bangladesh.

The results of Symantec's work allowed us to shed light on some technical details, including the use of the GuLoader tool to download malware and a signed driver, and the neutralization of protection tools in the victim's network.

The researchers note that the malware consisted of two components: a control DLL that reads the list of processes from the third file, and a signed "auxiliary" driver controlled by the first driver and used to terminate the processes in the list.

At the same time, Symantec believes that a signed malicious driver was used by several groups of cybercriminals to disable protection, as Microsoft, Mandiant, Sophos and SentinelOne reported in December.

The sample discovered by Symantec researchers, although it is the same driver, was signed with a digital certificate of the Chinese company Zhuhai Liancheng Technology Co., Ltd, which indicates that the actors have access to providers who can provide legitimate signatures from trusted persons.

The researchers note that the same driver was used as part of a ransomware attack on a non-profit organization in Canada.

Symantec reports that the Bluebottle activity they observed began in July 2022 and lasted until September, but could be fixed in May.

Recent attacks also show some new TTP that involve the use of GuLoader in the initial stages of the attack. In addition, the researchers found signs that the attacker used ISO disk images as the initial vector of infection in targeted phishing on the topic of work.

Symantec researchers analyzed Bluebottle attacks on three different financial institutions in African countries.

In one of them, the attacker relied on several dual-purpose tools and utilities already available in the system (Quser, ping, Ngrok, Net localgroup, Fortinet VPN client, Xcopy, Netsh, Autoupdatebat 'Automatic RDP Wrapper installer and updater' and SC privileges to change SSH agent permissions).

Bluebottle also used malicious tools: GuLoader, Mimikatz, Reveal Keylogger and the Netwire remote access Trojan.

The attacker started the manual lateral movement about three weeks after the initial compromise, using the command line and PsExec.

Although the analysis of the attacks and the tools used suggests that OPERA1ER and Bluebottle represent the same group, however, Symantec does not confirm the scale of monetization noted by Group-IB.

Information

Visitors who are in the group Guests they can't download files.
Log in to the site under your login and password or if you are a new user go through the process registrations on the website.

Comments:

This publication has no comments yet. You can be the first!

Information the publication:

  • Author of the publication: web3
  • Date of publication: 16 January 2023 12:38
  • Publication category(s): Information security
  • Number of views of the publication: 166
  • Number of comments to the publication: 0

Related News

16 January 2023
Information security
Group-IB uncovered Dark

Group-IB uncovered Dark Pink APT, involved in attacks on government agencies and military facilities in the

Read more
16 January 2023
Information security
In their latest report,

In their latest report, Crowdstrike report how Scattered Spider tried to implement BYOVD using an old Intel driver

Read more
16 January 2023
Information security
A group of researchers

A group of researchers from Texas A&M University, Temple University, the New Jersey Institute of Technology,

Read more
18 November 2022
Forums Invision Community»,Modifications Invision Community
Donations 3.4.3 -

Help fund your forum account with donations, set goals, and track donations from participants. Offer rewards for

Read more
21 November 2022
Forums Invision Community»,Plugins Invision Community
Donation module for IPS 4

Donations 3.4.3 is an excellent donation module for the IPS Community Suite 4 forum. Help replenish your forum

Read more

Information

Users of 🆅🅸🆂🅸🆃🅾🆁 are not allowed to comment this publication.

Site Search

Site Menu


☑ Websites Scripts

Calendar

«    November 2024    »
MonTueWedThuFriSatSun
 123
45678910
11121314151617
18192021222324
252627282930 

Advertisement

Survey on the website

Evaluate the work of the site
 

Statistics

  • +13 Total articles 6747
  • +13 Comments 4077
  • +27 Users : 5854