Security News > 2023 > January > Bluebottle hackers used signed Windows driver in attacks on banks
A signed Windows driver has been used in attacks on banks in French-speaking countries, likely from a threat actor that stole more than $11 million from various banks.
Symantec's report adds some technical details, such as the use of the GuLoader tool for loading malware and a signed driver that helps the attacker kill processes for security products running on the victim network.
The researchers say that the malware had two components, "a controlling DLL that reads a list of processes from a third file, and a signed 'helper' driver controlled by the first driver and used to terminate the processes in the list."
Mandiant tracks the driver as POORTRY, saying that the earliest sign of it was in June 2022 and that it was used with a mix of certificates, some of them stolen and popular among cybercriminals.
The researchers note that the same driver was used in activity suspected to lead to a ransomware attack against a non-profit entity in Canada.
While the analysis of the attacks and the tools used suggest that OPERA1ER and Bluebottle are the same group, Symantec cannot confirm that the activity they saw had the same monetization success as reported by Group-IB..
News URL
Related news
- Hackers Hijack GitHub Accounts in Supply Chain Attack Affecting Top-gg and Others (source)
- US sanctions APT31 hackers behind critical infrastructure attacks (source)
- Alert: New Phishing Attack Delivers Keylogger Disguised as Bank Payment Notice (source)
- Microsoft still unsure how hackers stole MSA key in 2023 Exchange attack (source)
- Critical Rust flaw enables Windows command injection attacks (source)
- Microsoft fixes two Windows zero-days exploited in malware attacks (source)
- Critical 'BatBadBut' Rust Vulnerability Exposes Windows Systems to Attacks (source)
- Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack (source)
- TA558 Hackers Weaponize Images for Wide-Scale Malware Attacks (source)
- Hackers hijack OpenMetadata apps in Kubernetes cryptomining attacks (source)