How the were uncovered

All four types were first discovered through alerts generated by Symantec’s Targeted Attack Analytics (TAA). TAA leverages advanced artificial intelligence to analyze Symantec’s lake of telemetry in order to spot patterns associated with targeted attacks.

A growing number of attackers in recent years are adopting “living off the land” tactics—namely the use of operating system features or network administration tools to compromise victims’ networks. By exploiting these tools, attackers hope to hide in plain sight, since most activity involving these tools is legitimate. However, in each case, a TAA alert was triggered by the attackers maliciously using a legitimate tool. In short, the attackers’ use of living off the land tactics led to the discovery of their attacks.

Common threads

Whether the attacks were the work of one or more groups remains unknown. However, they share some commonalities in terms of the tools and tactics employed. Any used was off-the-shelf, commodity : Cobalt Strike, Imminent Monitor RAT, NanoCore RAT, Remote Manipulator System RAT, and Mimikatz.

Additionally, most of the attacks leveraged living off the land tactics, making use of tools such as PowerShell, PsExec, UltraVNC, and RDP.

Commodity malware is readily available on the cyber underground. While it may not be as powerful or stealthy as custom-developed tools, it does add a certain level of anonymity to attacks, making it harder to link attacks together and attribute them to any one group of attackers.

Globalization of cyber crime

Until now, Symantec has seen relatively little evidence of these kinds of attacks against the sector in West Africa. However, it now appears that there is at least one (and quite possibly more) groups actively targeting in the region.

Protection/Mitigation

Symantec has the following protection in place to protect customers against these attacks:

File-based protection

Indicators of Compromise

The following list of indicators of compromise is related to banking attacks. It is likely that these indicators are used by multiple different actors.

The first attack type

Files 



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here