Bluebottle observed in the wild.
N2K logoJan 5, 2023

Symantec researchers have released a report detailing recent activities of the Bluebottle cybercrime group, seen targeting African financial institutions.

Bluebottle observed in the wild.

Researchers at Symantec, a division of Broadcom Software, released a report this morning detailing the continuation of cybercrime group Bluebottle’s activity in Francophone countries, most recently observed against banks in French-speaking parts of Africa.

Background: Bluebottle lives off the land.

Symantec researchers report that the recent activity they’ve tracked as “Bluebottle” seems to be a continuation of activity tracked by Group-IB as “OPERA1ER”, most recently documented in a report from the group in November of last year. Activity tracked in that report spanned between 2019 and 2021, in which time the cybersecurity group reported the theft of $11 million over the span of 30 targeted attacks. Symantec researchers note that in their findings, the cybercriminal gang “makes extensive use of living off the land, dual-use tools, and commodity malware, with no custom malware deployed in this campaign.”

Similarities in TTPs.

Shared attributes of the threat actors between Group-IB’s report and Symantec’s findings have been documented, specifically in tactics, techniques, and procedures (TTPs):

  • “Same domain seen in both sets of activity: personnel[.]bdm-sa[.]fr
  • “Some of the same tools used: Ngrok; PsExec; RDPWrap; Revealer Keylogger; Cobalt Strike Beacon
  • “No custom malware found in either set of activity
  • “The crossover in targeting of French-speaking nations in Africa
  • “Both sets of activity also feature the use of industry-specific, and region-specific, domain names”

Symantec researchers note, however, that there were some new TTPs observed in more recent attacks:

  • “Some indications the attackers may have used ISO files as an initial infection vector
  • “The use of the commodity malware GuLoader in the initial stages of the attack
  • “Indications the attackers have adopted the technique of abusing kernel drivers to disable defenses”

Victimizing the financial sector.

The activity observed by Symantec researchers is more recent than Group-IB’s report, taking place between July and September of last year, with potential activity beginning in May of 2022. Three different financial institutions in three different African countries were victimized according to Symantec, with the first activity observed in mid-July and effects seen on multiple machines at all affected organizations.