Bluebottle Threat Actors Strikes Banks in French-speaking Countries

Category: Threat Actor Activity | Industry: Financial | Level: Tactical | Source: Symantec

Symantec shared research of a financially motivated threat group, tracked as Bluebottle, targeting banks in French-speaking countries. Based on the group's tactics, techniques, and procedures (TTPs), there is a potential overlap with the threat group tracked by Group-IB as "OPERA1ER," which has accumulated at least $11 million in stolen funds by compromising 30 targeted organizations between mid-2019 to 2021. Overlaps in TTPs include shared domains, shared targeting of French-speaking entities, particularly those located in Africa, the absence of any custom malware, and their usage of tools such as Cobalt Strike, Ngrok, Psexec, RDPWrap, and Revealer Keylogger. The activity reported by Symantec is more recent taking place between May 2022 to September 2022, impacting three financial institutions located in African nations. A notable new technique employed by the group is the use of a signed Windows driver to disable security products on the target's workstation.

Campaigns started by Bluebottle involve the delivery of the malware masquerading as job-themed document files, often arriving in a zip or ISO file. The malware is analyzed to be a commodity loader named GuLoader, dropping malware as well as benign decoy files. Pertaining to the signed driver, Symantec discovered "A set of malware was also deployed by the attackers that had the likely goal of disabling the security products on victim networks. The malware consisted of two components, a controlling DLL that reads a list of processes from a third file, and a signed 'helper' driver controlled by the first driver and used to terminate the processes in the list." This signed driver was observed in attack chains from notable ransomware groups such as Cuba, Noberus, and Lockbit. The threat actors persisted on the victim's network for a longer period of time as campaigns involved a dwell time of 3 weeks with others identifying a Ngrok tunnel active for months. Additional post-exploitation activity from Bluebottle threat actors involves the use of Mimikatz for credential access, SharpHound for system reconnaissance, lateral movement using RDP, and creating a new user account for persistence.

Anvilogic Scenario:

• Malicious Service Runs Driver to Compromise Host

Anvilogic Use Cases:

• Windows Service Created
• Driver as Command Parameter
• Tunneling Process Created

‍