Cybercrime group targeting banks in African Francophone countries

A cybercriminal group continues to target banks and financial institutions in Francophone countries across Africa, with attacks spreading since the outfit was first observed in 2018. 

In a report published Thursday by Symantec, the researchers examined a recent campaign by a group they’ve named Bluebottle, which several other cybersecurity firms have investigated in recent years. 

“Three different financial institutions in three African nations were compromised in the activity seen by Symantec, with multiple machines infected in all three organizations,” the researchers said. “The effectiveness of its campaigns means that Bluebottle is unlikely to stop this activity. The attackers appear to be French speaking, so the possibility of them expanding this activity to French-speaking nations in other regions also cannot be ruled out.”

Symantec found that the group does not use custom malware in its attacks and demonstrates several similarities to the campaign uncovered by the cybersecurity company Group-IB, which tracked attacks on financial institutions in Ivory Coast, Mali, Burkina Faso, Benin, Cameroon, Gabon, Niger, Nigeria, Paraguay, Senegal, Sierra Leone, Uganda, Togo and others.

Group-IB documented a campaign by the same group – tracked by the company as OPERA1ER – that lasted three years, in which the group stole at least $11 million and potentially as much as $30 million in 30 different attacks on banks, financial services, and telecommunication companies mainly located in Africa between 2018 and 2022. 

Image: Group-IB

Both campaigns also had tools with industry-specific, and region-specific, domain names. The campaign tracked by Symantec lasted from about May 2022 to September 2022 and involved the use of GuLoader, a remote access trojan used frequently over the last two years. 

Symantec was unable to identify the initial infection vector but said the earliest malicious files they found on victim networks had French-language, job-themed file names. 

These files were likely used as lures to begin the attack, the researchers explained, noting that in some cases, the malware was named to trick the user into thinking it was a PDF file. 

Examples of file…