BlueBottle Threat Actor Campaign
Researchers have discovered a new threat group, actively targeting the financial sector in the African continent. The group called Bluebottle makes extensive use of Living off the Land, dual-use tools, and commodity malware, with no custom malware deployed.
The activities of Bluebottle are believed to be linked to a previous group identified as OPERA1ER and have stolen at least $11 million over the course of 30 targeted attacks.
The initial attack vector used by Bluebottle is unknown, but researchers found malicious files found on victim networks had French file names that acted as lures and trick users into the display as PDF files.
The group is using generic, off-the-shelf malware, the researchers found that it had been mounted as CD-ROMs. This could indicate that the infection vector was through physical media or that the malicious file came as an ISO file and was mounted on the victim’s computer.
The delivered malware included GuLoader, which deploys some legitimate binaries as a decoy for its malicious activity before deploying a secondary NSIS script that injects obfuscated shellcode into another process.
Another set of malwares deployed by the group has the nature of disabling the security protocols on victim networks. The malware consisted of a controlling DLL that reads a list of processes and a signed helper driver used to terminate processes on the list.
The primary goal of Bluebottle is believed to be persistence and credential theft. Victims have been identified in three African nations, along with an attack on a non-profit organization in Canada.