Full Report
Cybersecurity researchers are calling attention to a series of cyber attacks targeting financial organizations across Africa since at least July 2023 using a mix of open-source and publicly available tools to maintain access. Palo Alto Networks Unit 42 is tracking the activity under the moniker CL-CRI-1014, where "CL" refers to "cluster" and "CRI" stands for "criminal motivation." It's suspected
Analysis Summary
# Threat Actor: CL-CRI-1014
## Attribution & Identity
The threat activity is currently tracked by Palo Alto Networks Unit 42 under the moniker **CL-CRI-1014** ("CL" for cluster, "CRI" for criminal motivation). The profile suggests the actor functions as an **Initial Access Broker (IAB)**.
## Activity Summary
Cyber criminals have been actively targeting financial organizations across Africa since at least July 2023. The primary objective appears to be gaining initial network access and subsequently selling that access on underground forums to other criminal actors. The attacks rely on exploiting open-source and publicly available tools.
## Tactics, Techniques & Procedures
- **Initial Access:** The exact means of gaining entry is unclear from the description.
- **Execution/Persistence:** Deploys **MeshCentral Agent** followed by **Classroom Spy** for remote administration.
- **Command and Control (C2):** Utilizes **PoshC2** for establishing C2 communication, sometimes customized to use a proxy setup based on stolen user credentials.
- **Defense Evasion:**
- Disguises tools by copying signatures from legitimate applications to forge file signatures.
- Spoofs legitimate software icons (Microsoft Teams, Palo Alto Networks Cortex, and Broadcom VMware Tools) for malicious payloads.
- **Persistence Mechanisms for PoshC2:**
1. Setting up a service.
2. Creating a Windows shortcut (LNK) file in the Startup folder.
3. Using a scheduled task named "Palo Alto Cortex Services."
- **Lateral Movement/C2 Tunneling:** Uses **Chisel** to tunnel malicious network traffic, bypassing firewalls and enabling the spread of PoshC2 to other Windows hosts.
## Targeting
- Sectors: Financial Institutions
- Geography: Africa (specific mentions include incidents potentially linking to previous activity in Coast, Morocco, Cameroon, Senegal, and Togo)
- Victims: Financial organizations.
## Tools & Infrastructure
- **Malware/Tools Used:**
- PoshC2 (used for C2 and proxy setup)
- Chisel (tunneling/C2 transport)
- Classroom Spy (remote administration)
- MeshCentral Agent
- **Infrastructure:** Uses PoshC2 C2 servers, sometimes tailored for the environment and utilizing proxies. (No specific defanged IPs/URLs provided in the source text for this actor's direct infrastructure).
## Implications
CL-CRI-1014 acts as a disruptive Initial Access Broker primarily targeting the financial sector in Africa, significantly lowering the barrier to entry for subsequent ransomware or larger intrusion campaigns by selling pre-established footholds. Their use of legitimate-looking persistence mechanisms and open-source tools complicates signature-based detection.
## Mitigations
- Implement robust network monitoring to detect anomalous C2 traffic patterns associated with tunneling tools like Chisel.
- Scrutinize the creation of new Windows Services, Startup folder entries, and Scheduled Tasks, particularly those mimicking legitimate vendor names (e.g., "Palo Alto Cortex Services").
- Enhance endpoint detection capabilities to detect file forging or digital signature spoofing attempting to mask malicious binaries.
- Review and restrict the use of publicly available offensive tools like PoshC2 and Chisel within the environment.