New Delhi  – Check Point Research (CPR) reveals a persistent cyberattack campaign targeting major financial institutions in French-speaking African countries for the past two years. Dubbed ‘DangerousSavana’, the attackers use spear-phishing techniques to initiate infection chains, sending malicious attachment emails in French to employees in Ivory Coast, Morocco, Cameroon, Senegal, and Togo. Diverse file types, such as PDF, Word, ZIP and ISO files, are used to lure victims. CPR suspects the hackers are financially motivated and warns of their persistence, diversification and iterative nature.

• Hackers used lookalike domains, impersonating other financial institutions in Africa such as the Tunisian Foreign bank and Nedbank
• Threat campaign heavily focused on the Ivory Coast these last few months
• CPR shares example of malicious email and timelines of infection chains and lure documents

Check Point Research (CPR) has uncovered a persistent cyberattack campaign targeting major financial institutions in French-Speaking African countries for the past two years.

Dubbed ‘DangerousSavana’ by CPR, the attackers use spear-phishing to initiate infection chains, sending malicious attachment emails in French to employees in Ivory Coast, Morocco, Cameroon, Senegal, and Togo. The threat campaign heavily focused on the Ivory Coast these last few months.

Attack Methodology: 

The infection starts with spear-phishing emails written in French, usually sent to several employees of the targeted companies. Since 2021, the hackers have been attaching malicious files to their phishing emails. These documents are either Word documents with macros, documents with a remote template (or, in some cases a few layers of external templates), or PDF documents, which lure the victim to download and then manually execute the next stage.

After the victim opens the file, it communicates with malicious C&C servers and downloads frameworks like Metasploit or PoshC2 that allow the threat actors to do nearly whatever they want in the victim network.

In the early stages of the campaign, the phishing emails were sent using Gmail and Hotmail services. To increase their credibility, the actors began to use lookalike domains, impersonating other financial institutions in Africa such as the Tunisian Foreign bank, Nedbank, and others. For the last year, the actors also used spoofed email addresses of a local insurance advisory company.

Quote: Sergey Shykevich, Threat Intelligence Group Manager at Check Point Software:

“We have discovered a persistent threat actor targeting major financial institutions over at least the last two years in the French-speaking African countries. Our suspicion is that this is a financially motivated cybercriminal, but we don’t have conclusive evidence yet. Whoever it is, this threat actor, or group of actors, is highly targeted and persistent in infecting specific victims and right now, we are aware of at least three major financial corporations that operate in these countries that have been affected. Our assessment shows that this actor will continue trying until a weakness is found, or until an employee makes a mistake.

Usually when a hacker targets financial institutions directly, their main goal is to secure access to core banking systems such as payment card issuing systems, SWIFT transfers and ATM control systems. Cybercriminals believe that fragile economies in some parts of Africa may be a factor at play with consequent lack of investment in cyber security. But the finance and banking sector is actually one of the most impacted industries worldwide, experiencing 1,144 weekly cyberattacks on average.”

Cyber Safety Tips:

To better protect against spear-phishing attacks, CPR recommends to:

1. Keep your systems up-to-date with the latest security patches
2. Implement multi-factor authentication wherever possible
3. Confirm suspicious email activity before interacting with it
4. Educate your employees and regularly test their knowledge