Major financial and insurance companies located in French-speaking countries in Africa have been targeted over the past two years in a persistent malicious campaign codenamed DangerousSavannah.
The countries targeted are Ivory Coast, Morocco, Cameroon, Senegal and Togo, with spear phishing attacks focusing heavily on Ivory Coast in recent months, Israeli cybersecurity firm Check Point said. said in a Tuesday report.
Chains of infection involve targeting employees of financial institutions with social engineering messages containing malicious attachments as an initial means of access, ultimately leading to the deployment of ready-to-use malware such as Metasploit, PoshC2, DWserviceand AsyncRAT.
“The creativity of threat actors is exposed in the initial infection phase, as they constantly pursue employees of targeted companies, constantly changing infection chains that use a wide range of malicious file types, self-executable loaders -malicious writings and documents, to ISO, LNK, JAR and VBE files in various combinations,” the company said.
The phishing emails are written in French and sent through Gmail and Hotmail services, although the messages also impersonate other financial institutions in Africa to boost their credibility.
While 2021 attacks exploited Microsoft Word documents containing macros as decoys, the company’s decision to block macros in files downloaded from the Internet by default earlier this year led DangerousSavanna actors to switch to PDF and ISO files.
Additionally, the first wave of attacks in late 2020 to early 2021 involved the use of bespoke .NET-based tools, disguised as PDF files attached to phishing emails, to retrieve droppers and loaders from the next step from remote servers. .
Regardless of the method used, post-exploitation activities performed after gaining an initial foothold include establishing persistence, reconnoitring and delivering additional payloads to remotely control the host, kill anti-malware processes and record keystrokes.
The threat author’s exact provenance remains unclear, but the frequent change of his tools and methods demonstrates his knowledge of open source software and his ability to hone his tactics to maximize financial gain.
“If a chain of infection didn’t work, they would change the attachment and the lure and try to target the same business over and over again trying to find an entry point,” Check Point said. “With social engineering via spear phishing, all it takes is one careless click from an unsuspecting user.”