Cybersecurity experts recently identified a signed Windows driver being used in malicious online attacks on financial institutions in French-speaking countries. Evidence suggests that the threat operator behind the activity was also likely responsible for stealing $11 million from a range of other banks.

The selected targets and activity type are a match for the profile of the infamous gang of hackers known as “OPERA1ER”. To date, as many as 35 successful attacks have been attributed to the outfit taking place from 2018 to 2020.

The hacker gang is believed to include French-speaking threat actors and is supposedly operating out of Africa, mainly targeting organisations within the region. However, the gang have also hit companies Bangladesh and in South America in countries such as Argentina and Paraguay.

OPERA1ER potentially identified by analysts

In a recent report, cybersecurity researchers based at Broadcom Software’s Symantec division, revealed specific details about a certain cybercriminal gang that they track under the name Bluebottle. The report showed that the techniques, tactics and procedures used by Bluebottle share substantial similarities with those employed by OPERA1ER.

Cybersecurity firm, Group-IB, have also documented the OPERA1ER gang’s campaigns in a comprehensive document published last November. In the report, the researchers noted the lack of bespoke malware and an excessive use of tools which were readily available.

However, Symantec’s recent report has added some technical details, like the use of the tool GuLoader designed for loading malicious software, and a signed driver in kernel mode that allows the attacker to kill processes for watchdog security products which are running on a victim’s network.

The report explains that the malware has two different components. These include a controlling DLL that can read a list of specific processes from within a third file and a helper driver that is controlled by the initial driver and utilised to end the processes on the list.

It now appears that this malicious driver has been employed by multiple threat groups to disable defence. In December last year, it was reported by both Sophos and Mandiant.

Techniques and tactics observed

The recent attacks recorded also show some new procedures, tactics and techniques like the use of TTPs and GuLoader during the early phases of the attack. Furthermore, the researchers found indications that the malicious actor employed ISO disk images for an initial infection vector in a job-themed targeted spear-phishing attack.

Symantec commented:

“However, the job-themed malware in July was observed in paths suggesting it had been mounted as CD-ROMs. This could indicate a genuine disc was inserted, but it could also be that a malicious ISO file was delivered to victims and mounted.”

The research team analysed the Bluebottle attacks aimed at three different banks in African countries. During one of the attacks, the threat operator took advantage of multiple dual-use utilities and tools that were already present on the system.

Researchers at Symantec state that the Bluebottle activity they observed started as early as July 2022 and stretched to September, but it is more than possible that some of the activity started even earlier in May.