Opera1er APT Group Targeting Banks, Financial Institutes, and Mobile Operators across Africa, Asia and LATAM

Background

Between 2018 and 2022, a string of more than 30 successful cyberattacks against banks, financial services providers, and telecom businesses in Africa, Asia, and Latin America have been attributed to a French-speaking threat actor known as OPERA1ER. With real losses believed to be as high as $30 million, these attacks have resulted in thefts totaling $11 million. According to reports, many of the identified victims had their infrastructure twice penetrated before it was used as a weapon against other organizations.

Attack Chain

Initial Access:

Spear phishing emails were used to gain initial access to the targeted organizations, as is familiar with many threat actor campaigns. Along with common malicious subjects like fake invoices or postal delivery notifications, This group used a lot of instances of topics related to the targeted industries, such as government tax office notifications, job offers from The Central Bank of West African States, or specific subjects related to the digital currency industry.

Although researchers also found emails written in English, the majority of the emails were written in French. To start with, OPERA1ER used a variety of families of well-known malware payloads. Through campaigns in 2019 and 2020, the malware families like NanoCore, H-Worm (Houdini Worm), WSH Rat, Remcos, Adwind, or QNodeJS were used.

Delivery:

Widespread use of SendGrid (https://sendgrid.com), as well as compromised mail systems like mail.groupechaka.com, were seen. This threat actor has been using this infrastructure at least since the first quarter of 2020 and is still in operation.

Pivoting:

After deploying the first RAT, operators examine compromised machines. Metasploit Meterpreter or Cobalt Strike Beacon are downloaded and activated when a machine of interest is compromised. It’s interesting to note that during the lateral movement phase, OPERAIER applies both frameworks. Additionally, the control is switched between the two frameworks. The attacker deployed the Metasploit server inside a compromised infrastructure in at least two incidents at several banks. Additionally, additional banks and organizations were targeted by it.

Privilege Escalation:

To escalate privileges, the operator employs a variety of strategies. Fodhelper and the token duplication approach were misused to bypass UAC.

Persistence:

After obtaining privileged access, the operator uses a variety of methods to ensure RATs and beacons are persistent. They started out by launching a tool on a set schedule every five minutes as their first persistence technique by using scheduled tasks. In order to take control of some machines, they also launched AnyDesk.

They started the port-forwarding program ngrok on the servers after gaining access to part of them in order to tunnel the RDP port. They could then use the ngrok cloud service to establish RDP connections to these servers over the Internet. They launched ngrok as a service after wrapping it in NSSM to add persistence.

Reconnaissance:

After deploying a beacon and escalating rights, the operator begins to examine the intranet. Advanced IP Scanner was used to do a thorough network scan in order to learn more about the IS and susceptible opened TCP ports that exposed services like RDP, network shares, servers, and workstation names.

Credential harvesting:

The attacker employed additional programs, such as Revealer Keylogger, Nirsoft Remote Desktop PassView, rdpthief, safetykatz, hivejack, logonscreen, SharpWeb, and Mimikatz, to intercept passwords and RDP connections.

Lateral Movement:

The lateral movement was carried out in the first phase of 2019 via traditional TTP, such as RDP, PSExec, PowerShell Remoting, and WinRM.

The Cobalt Strike framework and SMB Beacon were used extensively to execute lateral movement during the second phase of 2020. It is challenging to discover them since they appear to be wary of the lateralization strategy being applied.

Banking Fraud Operation

In the case of banking fraud, after the threat actors used the various above-described attacks to gain access to internal systems, they were able to read (via workstation Keylogger infections) and subsequently steal the login credentials (login details & password) of various key operator users who were in charge of initiating, approving at level 1 and level 2, and transferring, digital money within the system. The threat actors selected Operator accounts that held sizable sums of digital currency, transferred the monies using the stolen credentials into Channel User accounts that they controlled, and then moved the funds into numerous mule subscribers’ accounts that they either controlled or coordinated. Finally, via a network of ATMs, the money was taken out of the system as cash. In this instance, it is obvious that the attack and theft of cash were made possible since the bad actors were able to amass multiple levels of access permissions to the system by stealing the login information of different operator users.

To enable the scam to be carried out in the quickest manner feasible, several strategies were deployed. These include automating the USSD orders to move the stolen funds from the Channel Accounts into the mule accounts for later cash-outs and using APIs that are specifically created for doing mass debits from Operator Accounts and credits to Channel Accounts.

Recommendations

• Check your infrastructure for the indicators of compromise listed in the Group-IB report.
• Look for outgoing connections on ports 777 and 1600 in the network traffic.
• Increase your organization’s awareness of cyber threats by utilizing external cyber threat intelligence products.
• Limit or restrict PowerShell where it is unnecessary. Keep an eye on any executable scripts, paying particular attention to PowerShell. Long base64-encoded strings in arguments or arguments that are typical of Cobalt Strike, Metasploit, CrackMap Exec, etc. are signs of executable processes.