Security News > 2023 > January > Bluebottle hackers used signed Windows driver in attacks on banks

A signed Windows driver has been used in attacks on banks in French-speaking countries, likely from a threat actor that stole more than $11 million from various banks.

Symantec's report adds some technical details, such as the use of the GuLoader tool for loading malware and a signed driver that helps the attacker kill processes for security products running on the victim network.

The researchers say that the malware had two components, "a controlling DLL that reads a list of processes from a third file, and a signed 'helper' driver controlled by the first driver and used to terminate the processes in the list."

Mandiant tracks the driver as POORTRY, saying that the earliest sign of it was in June 2022 and that it was used with a mix of certificates, some of them stolen and popular among cybercriminals.

The researchers note that the same driver was used in activity suspected to lead to a ransomware attack against a non-profit entity in Canada.

While the analysis of the attacks and the tools used suggest that OPERA1ER and Bluebottle are the same group, Symantec cannot confirm that the activity they saw had the same monetization success as reported by Group-IB..

News URL

https://www.bleepingcomputer.com/news/security/bluebottle-hackers-used-signed-windows-driver-in-attacks-on-banks/