Security News > 2023 > January > Bluebottle hackers used signed Windows driver in attacks on banks

A signed Windows driver has been used in attacks on banks in French-speaking countries, likely from a threat actor that stole more than $11 million from various banks.
Symantec's report adds some technical details, such as the use of the GuLoader tool for loading malware and a signed driver that helps the attacker kill processes for security products running on the victim network.
The researchers say that the malware had two components, "a controlling DLL that reads a list of processes from a third file, and a signed 'helper' driver controlled by the first driver and used to terminate the processes in the list."
Mandiant tracks the driver as POORTRY, saying that the earliest sign of it was in June 2022 and that it was used with a mix of certificates, some of them stolen and popular among cybercriminals.
The researchers note that the same driver was used in activity suspected to lead to a ransomware attack against a non-profit entity in Canada.
While the analysis of the attacks and the tools used suggest that OPERA1ER and Bluebottle are the same group, Symantec cannot confirm that the activity they saw had the same monetization success as reported by Group-IB..
News URL
Related news
- Microsoft Credits EncryptHub, Hacker Behind 618+ Breaches, for Disclosing Windows Flaws (source)
- Russian hackers attack Western military mission using malicious drive (source)
- Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054) (source)
- Windows NTLM hash leak flaw exploited in phishing attacks on governments (source)
- Hackers Abuse Russian Bulletproof Host Proton66 for Global Attacks and Malware Delivery (source)
- Hackers abuse Zoom remote control feature for crypto-theft attacks (source)
- DPRK Hackers Steal $137M from TRON Users in Single-Day Phishing Attack (source)
- Lazarus hackers breach six companies in watering hole attacks (source)
- Chinese Hackers Abuse IPv6 SLAAC for AitM Attacks via Spellbinder Lateral Movement Tool (source)
- Play ransomware exploited Windows logging flaw in zero-day attacks (source)