In a newly published report, security researchers from Symantec now reveal more details about the activities of the hacker group Bluebottle, which is said to include “Opera1er”.
According to Symantec’s findings, Opera1er attacks on banks in French-speaking countries used a signed Windows driver, which is likely to have come from a threat actor who stole more than 10 million euros from various banks.
Cybercrime infographic: Email remains the biggest security risk
Security software turned off
The Symantec report explains some technical details that make you sit up and take notice. These include using the infamous GuLoader tool to load malware and a signed driver, which the attacker can use to shut down security software processes. According to Symantec, the malware consists of two components: “a controlling DLL that reads a list of processes from a third file, and a signed ‘helper’ driver that is controlled by the first driver and used to kill the processes in the list .” Bluebottle also used other malicious tools Mimikatz to extract passwords, keyloggers to record keystrokes and the Netwire Trojan for remote access.
It also appears that the signed malicious driver has been used by various cyber criminals.
They all have one thing in common – the signatures used come from the Windows Hardware Developer program and were therefore regularly verified by Microsoft. Identifying these signatures as malicious is not easy. It has been known since last month at the latest that these signatures were stolen. However, as early as the summer of 2022, there were indications of the stolen certificates, which were very popular with cybercriminals.
Download RogueKiller – Remove Malware
Download Malwarebytes Premium
See also: