"Bluebottle Hackers Used Signed Windows Driver in Attacks on Banks"

A signed Windows driver was used in bank attacks in French-speaking countries, most likely by the threat actor that stole over $11 million from multiple banks. The operations and targets are consistent with the OPERA1ER hackers, who have been linked to at least 35 successful attacks between 2018 and 2020. The gang is suspected to have French-speaking members and operate from Africa, mostly targeting enterprises in the region. However, they have also targeted companies in Argentina, Paraguay, and Bangladesh. Symantec researchers have now published details about the activity of a cybercriminal group dubbed Bluebottle, which shares many tactics, techniques, and procedures (TTPs) with the OPERA1ER gang. The cybersecurity firm Group-IB documented OPERA1ER's efforts in a report issued in early November 2022, noting the lack of custom malware and the significant use of open-source commodity frameworks. Symantec's research includes some technical specifics, such as the use of the GuLoader tool for malware loading and a signed driver that allows the attacker to kill processes for security products running on the target network. This article continues to discuss OPERA1ER's campaigns and the findings regarding the Bluebottle cybercriminal group.

Bleeping Computer reports "Bluebottle Hackers Used Signed Windows Driver in Attacks on Banks"