A French-speaking threat actor dubbed OPERA1ER has been linked to a series of more than 30 successful cyber attacks aimed at banks, financial services, and telecom companies across Africa, Asia, and Latin America between 2018 and 2022.
According to Singapore-headquartered cybersecurity company Group-IB, the attacks have led to thefts totaling $11 million, with actual damages estimated to be as high as $30 million.
Some of the more recent attacks in 2021 and 2021 have singled out five different banks in Burkina Faso, Benin, Ivory Coast, and Senegal. Many of the victims identified are said to have been compromised twice, and their infrastructure subsequently weaponized to strike other organizations.
OPERA1ER, also called by the names DESKTOP-GROUP, Common Raven, and NXSMS, is known to be active since 2016, operating with the goal of conducting financially motivated heists and exfiltration of documents for further use in spear-phishing attacks.
"OPERA1ER often operates during weekends and public holidays," Group-IB said in a report shared with The Hacker News, adding the adversary's "entire arsenal is based on open-source programs and trojans, or free published RATs that can be found on the dark web."
This includes off-the-shelf malware such as Nanocore, Netwire, Agent Teslam Venom RAT, BitRAT, Metasploit, and Cobalt Strike Beacon, among others.
The attack chain commences with "high-quality spear-phishing emails" bearing invoice, delivery, and hiring-themed lures written primarily in French and to a lesser extent in English. Some of the bogus missives used specific topics about transferring digital money between mobile operators and banks.
These messages feature ZIP archive attachments or links to Google Drive, Discord servers, infected legitimate websites, and other actor-controlled domains, which lead to the deployment of remote access trojans.
Succeeding in the RAT execution, post-exploitation frameworks like Metasploit Meterpreter and Cobalt Strike Beacon are downloaded and launched to establish persistent access, harvest credentials, and exfiltrate files of interest, but not before an extended reconnaissance period to understand the back-end operations.
This is substantiated by the fact that the threat actor has been observed spending anywhere between three to 12 months from initial intrusion to making fraudulent transactions to withdraw money from ATMs.
The final phase of the attack involves breaking into the victim's digital banking backend, enabling the adversary to move funds from high value accounts to hundreds of rogue accounts, and ultimately cash them out via ATMs with the help of a network of money mules hired in advance.
"Here clearly the attack and theft of funds were possible because the bad actors managed to accumulate different levels of access rights to the system by stealing the login credentials of various operator users," Group-IB explained.
In one instance, over 400 mule subscriber accounts were employed to illicitly siphon the money, indicating that the "attack was very sophisticated, organized, coordinated, and planned over a long period of time"
The findings – carried out in collaboration with telecom giant Orange – that OPERA1ER managed to pull off the banking fraud operation by solely relying on publicly available malware highlights the effort that has gone into studying the internal networks of the organizations.
"There are no zero-day threats in OPERA1ER's arsenal, and the attacks often use exploits for vulnerabilities discovered three years ago," the company noted. "By slowly and careful inching their way through the targeted system, they were able to successfully carry out at least 30 attacks all around the world in less than three years."