Security experts have uncovered a long-running APT campaign by a French-speaking threat group that has stolen at least $11m from banks and telcos over a four-year period.
Group-IB named the group “OPERA1ER,” although it has been previously known by the monikers “DESKTOP-group” and “Common Raven.”
The threat intelligence firm teamed up with the Orange CERT Coordination Center to compile the report, OPERA1ER. Playing God without permission.
It detailed how the group used off-the-shelf tooling to carry out at least 35 attacks on banks, financial services companies and telecommunications providers mainly in Africa, Bangladesh and Argentina, between 2018 and 2022.
“Detailed analysis of the gang’s recent attacks revealed an interesting pattern in its modus operandi: OPERA1ER conducts attacks mainly during the weekends or public holidays,” said Rustam Mirkasymov, head of cyber threat research at Group-IB Europe.
“It correlates with the fact that it spends from three to 12 months from the initial access to money theft. It was established that the French-speaking hacker group could operate from Africa. The exact number of the gang members is unknown.”
The group used freely available malware and red-teaming frameworks like Metasploit and Cobalt Strike to achieve its ends.
Attacks begin with a highly targeted spear-phishing email loaded with a booby-trapped attachment, which could be hiding a remote access Trojan (RAT) like Netwire, bitrat, venomRAT, AgentTesla or Neutrino, as well as password sniffers and dumpers.
This access leads to exfiltration of emails and internal documents that are then studied for use in future phishing attacks. Documents also helped the attackers to understand the complex digital payments platform used by the victim organizations, according to the report.
“The platform has a three-tiered architecture of distinct accounts to allow different types of operations. To compromise these systems, OPERA1ER would require specific knowledge about key people involved in the process, protection mechanisms in place, and links between back-end platform operations and cash withdrawals,” Group-IB said.
“The gang could have obtained this knowledge directly from the insiders or themselves by slowly and carefully inching their way into the targeted systems.”
Using credentials stolen from internal accounts, the hackers apparently transferred funds from “operator” accounts containing large sums of money, to “channel user” accounts and then to “subscriber” accounts under their control.
The group then cashed out the funds via ATMs – including one raid where they did so via a network of over 400 subscriber accounts controlled by money mules recruited months in advance.
In one case, the hackers managed to access a victim banks’ SWIFT messaging interface software, while in another they hijacked an SMS server which could have been used to bypass anti-fraud mechanisms or cash out money via payment or mobile banking systems, according to the report.