Bluebottle hackers used a signed Windows driver to attack banks

An encrypted Windows driver signed by a threat actor has been used to attack banks in French-speaking nations. This is likely because the threat actor stole over $11 million from different banks.

These activities and targets match the description of the OPERA1ER hackers, who have been attributed at most 35 successful attacks between 2018-2020.

It is thought that the gang has French-speaking members. They operate out of Africa and target organizations there, but they have also targeted companies in Argentina and Paraguay.

Bluebottle TTPs point towards OPERA1ER

Today’s report by Symantec (a division of Broadcom Software) reveals details of the activities of Bluebottle, a cybercriminal organization they are tracking. It shares many similarities with the OPERA1ER gang’s techniques, tactics and procedures (TTPs).

Group-IB published in a long report in November 2022. Researchers noted the absence of custom malware as well as the widespread use of open source, commodity and framework tools.

Symantec adds technical details to its report, including the GuLoader tool used for loading malware. Also included is a signed driver (kernelmode) which helps attackers kill security products on victim networks.

Researchers found that malware contained two components: “A controlling DLL, which reads the process list from the third file” and “a signed driver called ‘helper’ that is controlled by the first driver. This driver was used to end the listed processes.”

Multiple cybercriminal organizations may have used the malicious signed driver to disable defense. Mandiant, Sophos and Sophos reported the issue in December in a report that contained kernel-mode drivers validated with Authenticode signatures obtained from .

POORTRY driver signed by Microsoft

Source: BleepingComputer

Mandiant identified the driver as . It stated that its first sign was June 2022. The vehicle was also used with several certificates that were stolen or popular with cybercriminals.

Although the driver was the same, the Symantec researchers discovered that the version signed by Zhuhai Liancheng Technology Co., Ltd. had a digital certificate.

Cybercriminals can obtain legitimate signatures from trusted entities to ensure their malware passes verification and is not detected.

Researchers note that the driver used for ransomware attacks against non-profit entities in Canada was also mentioned by them.

Symantec claims that Bluebottle activity was seen as recently as July 2022 and continued into September. It is possible, however, that it started in May, a few months before.

Recent attacks also revealed some brand new TTPs that included the use GuLoader during the first stages. Researchers also found evidence that the threat actor utilized ISO disk images to infect job-themed spear-phishing.

However, it was found in tracks that suggested the malware had been mounted on CD-ROMs. It could be an indication that the disc was genuine, or it could mean that victims were sent a malicious ISO file.

Bluebottle attacks on three African financial institutions were studied by Symantec researchers. One of the attacks was carried out by a threat actor who used multiple utilities and tools that were already on the Symantec system.

  • Quser for user discovery
  • Check internet connectivity with Ping
  • Ngrok for network tunneling
  • Net localgroup /add for adding users
  • Fortinet VPN Client – Probably for secondary access channels
  • Copy RDP wrapper files with Xcopy
  • Netsh opens port 3389 on the firewall
  • Autoupdatebat is an Automatic RDP Wrapper updater and installer that allows multiple concurrent RDP sessions to be enabled on one system.
  • SC has the ability to change SSH agent permissions. This could be a key theft attempt or an installation error.

The last activity was detected on the victim network in September. However, researchers claim that Ngrok was still present up until November. This supports Group-IB’s discovery about OPERA1ER hackers who remained on compromised networks for long periods of time (between 3 and 12 months).

Bluebottle used other malicious software such as GuLoader and Mimikatz for stealing passwords from the memory, Reveal Keylogger, to capture keystrokes and the Netwire remote-access trojan.

Three weeks following the initial compromise, the threat actor began manual lateral movement activity using PsExec and a command prompt.

Although the attack analysis and tools used indicate that OPERA1ER is the same group as Bluebottle, Symantec can’t confirm whether the activity that they observed had the same monetization success reported by Group IB.