Security News > 2023 > January > Bluebottle hackers used signed Windows driver in attacks on banks

A signed Windows driver has been used in attacks on banks in French-speaking countries, likely from a threat actor that stole more than $11 million from various banks.
Symantec's report adds some technical details, such as the use of the GuLoader tool for loading malware and a signed driver that helps the attacker kill processes for security products running on the victim network.
The researchers say that the malware had two components, "a controlling DLL that reads a list of processes from a third file, and a signed 'helper' driver controlled by the first driver and used to terminate the processes in the list."
Mandiant tracks the driver as POORTRY, saying that the earliest sign of it was in June 2022 and that it was used with a mix of certificates, some of them stolen and popular among cybercriminals.
The researchers note that the same driver was used in activity suspected to lead to a ransomware attack against a non-profit entity in Canada.
While the analysis of the attacks and the tools used suggest that OPERA1ER and Bluebottle are the same group, Symantec cannot confirm that the activity they saw had the same monetization success as reported by Group-IB..
News URL
Related news
- New ‘Rules File Backdoor’ Attack Lets Hackers Inject Malicious Code via AI Code Editors (source)
- TechRepublic EXCLUSIVE: New Ransomware Attacks are Getting More Personal as Hackers ‘Apply Psychological Pressure” (source)
- EncryptHub linked to MMC zero-day attacks on Windows systems (source)
- Update VMware Tools for Windows Now: High-Severity Flaw Lets Hackers Bypass Authentication (source)
- Hackers Repurpose RansomHub's EDRKillShifter in Medusa, BianLian, and Play Attacks (source)
- Chinese FamousSparrow hackers deploy upgraded malware in attacks (source)
- North Korean hackers adopt ClickFix attacks to target crypto firms (source)
- Microsoft Credits EncryptHub, Hacker Behind 618+ Breaches, for Disclosing Windows Flaws (source)
- Russian hackers attack Western military mission using malicious drive (source)
- Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054) (source)