Two-Year Long DangerousSavanna Campaign Attack Financial and Banking Institutions

In Cybersecurity News - Original News Source is by Blog Writer

Post Sharing
Over the past two years, a persistent malicious campaign dubbed “DangerousSavanna” has targeted major financial institutions and insurance companies.

In Central and Western Africa, more than 85% of financial institutions have repeatedly been victimized by a variety of damaging cyberattacks on multiple occasions.

The worst possible outcomes for the financial sector and the banking sector resulting from intrusions into network systems in a quarter of these cases are:-

  • Information leaks
  • Identity theft
  • Money transfer fraud
  • Bank withdrawals on false checks

Countries Targeted

Listed below are all of the countries that are targeted in this campaign:-

The spear-phishing attacks are targeted at all of the countries listed above. It can be seen in recent months that particular attention has been paid heavily to Ivory Coast.

Technical Analysis

A social engineering attack is an attack where malicious attachments are embedded in emails that are sent to employees of financial institutions as a technique for gaining access to the data.

As a consequence, off-the-shelf malware such as the following ones, have been deployed as a result:-

  • Metasploit
  • PoshC2
  • DWservice
  • AsyncRAT

As the threat actors aggressively pursue the employees of the targeted companies in the early stages of infection, one can see the level of creativity they bring to the attack.

According to the report, The infection chain varies frequently from one infection chain to another, depending on the combination of self-authored executable loaders and malicious file types used to spread the infection. Here below we have mentioned the file types used:-

  • ISO
  • LNK
  • JAR
  • VBE

A number of fake emails are being sent out on Gmail and Hotmail services which are written in French. Also, in order to enhance the credibility of the financial institutions, these messages impersonate other institutions in Africa.

The first waves of attacks were reported in late 2020 and early 2021, which were primarily based on .NET-based tools and used to target a range of systems.

While the next-stage droppers and loaders were disguised as PDF files and sent as attachments in phishing emails to be downloaded from remote servers.

A number of activities may be undertaken following the initial foothold after it has been established. Among these are:

  • Maintaining persistence over a long period of time.
  • Reconnaissance activities are carried out.
  • The delivery of additional payloads.

It is still unclear exactly where the threat actor originated from. In contrast, the recurring changes to its tools and methods illustrate the understanding of open-source software and strategies for maximizing the profits of the threat actors.