How the attacks were uncovered
All four attack types were first discovered through alerts generated by Symantec’s Targeted Attack Analytics (TAA). TAA leverages advanced artificial intelligence to analyze Symantec’s data lake of telemetry in order to spot patterns associated with targeted attacks.
A growing number of attackers in recent years are adopting “living off the land” tactics—namely the use of operating system features or network administration tools to compromise victims’ networks. By exploiting these tools, attackers hope to hide in plain sight, since most activity involving these tools is legitimate. However, in each case, a TAA alert was triggered by the attackers maliciously using a legitimate tool. In short, the attackers’ use of living off the land tactics led to the discovery of their attacks.
Whether the attacks were the work of one or more groups remains unknown. However, they share some commonalities in terms of the tools and tactics employed. Any malware used was off-the-shelf, commodity malware: Cobalt Strike, Imminent Monitor RAT, NanoCore RAT, Remote Manipulator System RAT, and Mimikatz.
Additionally, most of the attacks leveraged living off the land tactics, making use of tools such as PowerShell, PsExec, UltraVNC, and RDP.
Commodity malware is readily available on the cyber underground. While it may not be as powerful or stealthy as custom-developed tools, it does add a certain level of anonymity to attacks, making it harder to link attacks together and attribute them to any one group of attackers.
Globalization of cyber crime
Until now, Symantec has seen relatively little evidence of these kinds of attacks against the financial sector in West Africa. However, it now appears that there is at least one (and quite possibly more) groups actively targeting banks in the region.
Symantec has the following protection in place to protect customers against these attacks:
Indicators of Compromise
The following list of indicators of compromise is related to African banking attacks. It is likely that these indicators are used by multiple different actors.
The first attack type