Main monetary and insurance coverage firms situated in French-speaking nations in Africa have been focused over the previous two years as a part of a persistent malicious marketing campaign codenamed DangerousSavanna.
Nations focused embody Ivory Coast, Morocco, Cameroon, Senegal, and Togo, with the spear-phishing assaults closely specializing in Ivory Coast in latest months, Israeli cybersecurity agency Verify Level stated in a Tuesday report.
An infection chains entail concentrating on staff of monetary establishments with social engineering messages containing malicious attachments as a way of preliminary entry, finally resulting in the deployment of off-the-shelf malware reminiscent of Metasploit, PoshC2, DWservice, and AsyncRAT.
“The menace actors’ creativity is on show within the preliminary an infection stage, as they persistently pursue the staff of the focused firms, continuously altering an infection chains that make the most of a variety of malicious file varieties, from self-written executable loaders and malicious paperwork, to ISO, LNK, JAR and VBE information in numerous mixtures,” the corporate stated.
The phishing emails are written in French and despatched utilizing Gmail and Hotmail companies, even because the messages additionally impersonate different monetary establishments in Africa to spice up their credibility.
Whereas assaults in 2021 leveraged macro-laced Microsoft Phrase paperwork as lures, the corporate’s choice to block macros in information downloaded from the web by default earlier this 12 months has led the DangerousSavanna actors to pivot to PDF and ISO information.
Moreover, the primary wave of assaults from the top of 2020 to the start of 2021 concerned using bespoke .NET-based instruments, which got here disguised as PDF information hooked up to phishing emails, to retrieve next-stage droppers and loaders from distant servers.
Whatever the technique used, post-exploitation actions carried out after acquiring an preliminary foothold embody establishing persistence, performing reconnaissance, and delivering extra payloads to remotely management the host, kill anti-malware processes, and log keystrokes.
The precise provenance of the menace actor stays unclear, however the frequent shift in its instruments and strategies demonstrates their data of open-source software program and their potential to fine-tune their ways for maximizing monetary achieve.
“If one an infection chain did not work out, they modified the attachment and the lure and tried concentrating on the identical firm many times looking for an entry level,” Verify Level stated. “With social engineering through spear-phishing, all it takes is one incautious click on by an unsuspecting consumer.”