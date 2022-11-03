



Security experts have uncovered a long-running APT campaign by a French-speaking threat group that stole at least $11 million from banks and telecom operators over a four-year period. Group-IB named the group “OPERA1ER”, although it was previously known by the nicknames “DESKTOP-group” and “Common Raven”. The threat intelligence firm has partnered with the Orange CERT coordination center to compile The report, OPERATOR. Playing god without permission. He detailed how the group used off-the-shelf tools to carry out at least 35 attacks against banks, financial services companies and telecommunications providers, mainly in Africa, Bangladesh and Argentina, between 2018 and 2022. . “Detailed analysis of the gang’s recent attacks revealed an interesting trend in its modus operandi: OPERA1ER conducts attacks mostly during weekends or holidays,” said Rustam Mirkasymov, head of cyber threat research at Group -IB Europe. “This correlates with it going from three months to 12 months from initial access to stealing money. It was established that the group of French-speaking hackers could operate from Africa. The exact number of gang members is unknown. The group used freely available malware and red-teaming frameworks like Metasploit and Cobalt Strike to achieve their ends. Attacks begin with a highly targeted spear phishing email loaded with a booby-trapped attachment, which could hide a Remote Access Trojan (RAT) like Netwire, bitrat, venomRAT, AgentTesla or Neutrino, as well as sniffers passwords and dumpers. This access leads to the exfiltration of emails and internal documents which are then studied for use in future phishing attacks. According to the report, the documents also helped attackers understand the complex digital payment platform used by victim organizations. “The platform has a three-tier architecture of separate accounts to enable different types of operations. To compromise these systems, OPERA1ER would need specific knowledge about the key people involved in the process, the protection mechanisms in place and the links between back-end platform operations and cash withdrawals,” Group-IB said. “The gang could have obtained this knowledge directly from insiders or from themselves by slowly and carefully cutting their way into the targeted systems.” Using credentials stolen from internal accounts, the hackers apparently transferred funds from “operator” accounts containing large sums of money, to “channel user” accounts, and then to ” subscribers” under their control. The group then cashed out the funds through ATMs – including a raid where they did so through a network of more than 400 subscriber accounts controlled by money mules recruited months in advance. In one case, the hackers managed to gain access to a victim bank’s SWIFT messaging interface software, while in another they hijacked an SMS server that could have been used to circumvent anti-fraud mechanisms or remove money through payment systems or mobile banking, according to the report.

