Bluebottle, a cyber-crime group that specializes in targeted attacks against the financial sector, is continuing to mount attacks on banks in Francophone countries. The group makes extensive use of living off the land, dual-use tools, and commodity malware, with no custom malware deployed in this campaign.
The activity observed by Symantec, a division of Broadcom Software, appears to be a continuation of activity documented in a Group-IB report from November 2022. The activity documented by Group-IB spanned from mid-2019 to 2021, and it said that during that period this group, which it called OPERA1ER, stole at least $11 million in the course of 30 targeted attacks.
Similarities in the tactics, techniques, and procedures (TTPs) between the activity documented by Group-IB and the activity seen by Symantec include:
- Same domain seen in both sets of activity: personnel[.]bdm-sa[.]fr
- Some of the same tools used: Ngrok; PsExec; RDPWrap; Revealer Keylogger; Cobalt Strike Beacon
- No custom malware found in either set of activity
- The crossover in targeting of French-speaking nations in Africa
- Both sets of activity also feature the use of industry-specific, and region-specific, domain names
Related story: OPERA1ER APT in Africa