Financial organizations across Africa have been the target of sophisticated cyber attacks since at least July 2023, employing a blend of readily available and open-source tools for persistent access. Palo Alto Networks’ Unit 42 is tracking this campaign, known as CL-CRI-1014, and suggests the primary objective is to gain initial access and subsequently sell these compromised networks to other criminal entities, positioning the threat actors as initial access brokers (IABs).
The attackers are reportedly skilled at masking their malicious activities by mimicking legitimate applications, forging digital signatures to disguise their toolset and evade detection. This tactic of spoofing established software is a common yet effective method employed by threat actors to operate under the radar.
CL-CRI-1014 Campaign Utilizes Specialized Attack Tools
The CL-CRI-1014 campaign is characterized by the deployment of specific tools, including PoshC2 for command-and-control (C2) operations, Chisel for establishing covert network tunnels, and Classroom Spy for unauthorized remote administration. While the precise initial breach vector remains unclear, once a foothold is established, the attackers proceed to deploy MeshCentral Agent, followed by Classroom Spy to gain full control over compromised machines.
Subsequently, Chisel is introduced to bypass network firewalls, while PoshC2 is spread across other Windows hosts within the infected network. To further obfuscate their presence, the threat actors disguise their malicious payloads as legitimate software by using icons associated with well-known applications like Microsoft Teams, Palo Alto Networks Cortex, and Broadcom VMware Tools. PoshC2 exhibits persistence through multiple methods, including the creation of a service, placement of a Windows shortcut (LNK) file in the Startup folder, and the establishment of a scheduled task named “Palo Alto Cortex Services.”
In some instances observed by cybersecurity researchers, the threat actors have reportedly pilfered user credentials. These stolen credentials are then leveraged to set up a proxy using PoshC2, enabling the attackers to route their C2 communications through compromised infrastructure. Additionally, researchers noted that some PoshC2 implants appear to have been specifically modified for the targeted victim environments, suggesting a degree of custom tailoring in their attack strategies.
This is not the first instance of PoshC2 being weaponized against financial services in Africa. In September 2022, a spear-phishing campaign dubbed DangerousSavanna was detailed, which targeted financial and insurance companies in several African nations, deploying tools such as Metasploit, PoshC2, DWservice, and AsyncRAT.
Emergence of the Dire Wolf Ransomware Group
Meanwhile, in related cybersecurity developments, Trustwave SpiderLabs has identified a new ransomware group named Dire Wolf. Since its emergence last month, Dire Wolf has claimed responsibility for at least 16 victims across a diverse geographical spread, including the U.S., Thailand, Taiwan, Australia, Bahrain, Canada, India, Italy, Peru, and Singapore. The primary sectors targeted by this group are technology, manufacturing, and financial services.
Analysis of the Dire Wolf ransomware has revealed it is developed in Golang and possesses capabilities designed to hinder recovery efforts. These include disabling system logging, terminating a predefined list of 75 services and 59 applications, and actively deleting shadow copies to prevent the restoration of compromised data. While details regarding the initial access, reconnaissance, or lateral movement techniques employed by Dire Wolf remain undisclosed, organizations are strongly advised to maintain robust security practices and implement vigilant monitoring for known attack techniques.
The ongoing and evolving nature of these cyber threats underscores the critical need for continuous adaptation and improvement in cybersecurity defenses within the financial sector, particularly in regions frequently targeted by sophisticated criminal operations. The effectiveness of these attacks, leveraging both readily available and custom-built tools, highlights the dynamic threat landscape and the persistent challenge posed by initial access brokers and ransomware groups.