Since mid-2017, cybercriminals have been targeting financial institutions in a number of West African countries using a variety of commodity malware programs and living off the land tools (i.e., tools already installed on targeted computers, or simple scripts and shellcode run directly in memory).
To date, organizations in Cameroon, Democratic Republic of the Congo, Ghana, Equatorial Guinea and Ivory Coast have been “hit by a wave of attacks,” according to a blog posted by cybersecurity firm Symantec.
Parties behind the attacks have not been identified; Symantec said they could be the work of just one group or several groups using similar tactics. The latest occurred in mid-December, the company said.
Symantec has detected four types of attack, which are detailed in the blog. All attack types were discovered through alerts generated by Symantec Targeted Attack Analytics, a program that uses artificial intelligence to spot data patterns associated with targeted attacks.
According to the blog: A growing number of attackers in recent years are adopting “living off the land” tactics — namely the use of operating system features or network administration tools to compromise victims’ networks. By exploiting these tools, attackers hope to hide in plain sight, since most activity involving these tools is legitimate.
However, in each case, a TAA alert was triggered by the attackers maliciously using a legitimate tool. In short, the attackers’ use of living off the land tactics led to the discovery of their attacks.”
The blog goes on to list common threads in the attacks, methods of protection and mitigation, and indicators of compromise.