Over 30 successful cyberattacks have been recorded in many organisations across Asia, Latin America, and Africa since 2018 under the campaigns launched by French-speaking hackers named OPERA1ER. Some sectors targeted by the group include financial institutions and telecommunication firms.
Researchers said that five banks in several countries in West Africa, including Senegal, Burkina Faso, the Republic of Côte d’Ivoire, and Benin, have already been struck by the attacks from OPERA1ER. These victims were found to have been compromised two times, with some having their infrastructure weaponised with malware to infect other organisations.
First spotted in 2016, the OPERA1ER group has launched financially motivated cyberattack campaigns, including stealing data from the victims for spear-phishing attacks.
A report shared by researchers stated that OPERA1ER often attack during weekends and public holidays, implying that security teams might have been off duty, giving them more autonomy to perform malicious activities.
Additionally, the threat group’s entire arsenal is primarily supported with open-source programs, malware, or RATs commonly available on underground marketplaces. Some of the observed payloads used by the group in their operations include BitRAT, Cobalt Strike Beacon, Nanocore, and Metasploit.
The threat group’s attack chain usually begins with spear-phishing emails sent towards their targets, written in French with some hint of English. Attached to these malicious emails are ZIP archive files or URLs to a Google Drive page, Discord servers, malware-infested sites, and other unsafe domains. Victims are lured into downloading RATs to their machines via different persuasion tactics.
Upon executing RAT payloads, the compromised computers will be infected with post-exploitation frameworks, including Metasploit Meterpreter and Cobalt Strike Beacon. These payloads will establish persistent access to the machine and exfiltrate critical data.
Furthermore, OPERA1ER’s final attack phase involves hacking into the victim’s digital banking backend, allowing them to transfer funds to their accounts illegally. These funds will be withdrawn from ATMs through the group’s previously hired money mules.
Experts underline that the threat group have invested time and effort in studying their victims’ infrastructure before an attack, considering their use of publicly available malware and exploitation of known vulnerabilities.
