African banking sector targeted by malware-based phishing campaign


Attackers use HTML smuggling techniques to hide malicious files in fake job postings

A cybercrime campaign targeting the African banking sector is leveraging phishing emails and HTML smuggling techniques to deploy malware.

A series of attacks have been reported across West Africa, with attackers posing as potential employers to trick victims into downloading malicious files.

HP Wolf Security researchers, who tracked the campaign, noted that they first spotted the attacks in “early 2022”, when an employee of an unnamed West African bank received an email claiming to be from a recruiter from another African bank with information on employment opportunities.

Learn about the latest security news from across Africa

Investigating, the researchers discovered that the domain used to send the email was typosquatted and did not belong to the impersonated organization.

A WHOIS query later revealed that the domain was registered in December 2021 and visiting the website returned an HTTP 404 response. To make the decoy more believable, the threat actor also included a reply address from ‘another supposed employee of the bank who is recruiting.

Smuggling Campaign

The emails contained HTML files which, if opened, prompted the user to download an ISO file, which in turn contained a Visual Basic script which executed malicious software.

This technique, called HTML smuggling, allows attackers to smuggle malicious files beyond the security of the email gateway.

READ MORE HTML smuggling: New attack technique increasingly used to target banking sector

HP Wolf Security researchers found that the attackers were using a downloader called GuLoader, which is executed using PowerShell through code stored in the registry and otherwise only executed in memory.

“Detecting such a chain of infection is not easy, as the malware resides only in memory and registry,” the researchers noted in a blog post.

Talk to The daily sipPatrick Schläpfer, malware analyst at HP Wolf Security, said that while the research team is unsure why Africa in particular has been targeted, financial institutions generally offer “a high degree of opportunity for cybercriminals to monetize access and stolen data if they successfully compromise a bank’s network.

Schläpfer added: “In this campaign, the forwards used a combination of attacking techniques. We recommend that businesses watch out for brand abuse, i.e. typosquatted websites impersonating their brand.

“If these are found, they should be reported to the hosting provider and domain registrar as soon as possible.

YOU MIGHT ALSO LIKE Africa sees a rise in ransomware and botnet attacks – but online scams still pose the biggest threat

“In addition, organizations must also ensure that they have visibility into their network to isolate or block the behavior of malicious processes. These recommendations apply to all organizations, not just the banking sector in Africa.

The researcher also noted that while techniques such as phishing emails aren’t necessarily sophisticated, “such attacks still lead to infections.”

Schläpfer added: “In this campaign, the attackers made unusual efforts to create fake websites in order to increase the credibility of their emails and therefore the risk of infection.

“The HTML smuggling technique also stands out because it is not easy to detect and therefore often goes through users’ email gateway.”

You can find more information about the campaign in HP Wolf Security blog post.

DO NOT MISS Attackers exploit Spring4Shell vulnerability to spread Mirai botnet malware


About Author

Comments are closed.