African Financial Institutions Targeted in Sophisticated Access-Broker Cyber Campaign

Unit 42, the threat intelligence arm of Palo Alto Networks, has revealed an ongoing cyber campaign targeting financial institutions across Africa.

The threat group, tracked as CL-CRI-1014, has been active since at least July 2023 and is believed to be operating as an initial access broker.

These actors gain unauthorized access to networks and then sell this access to other threat groups on darknet markets.

The attackers consistently use a set of open-source and freely available tools. These include:

PoshC2, an advanced attack framework;
Chisel, a tunnelling utility that bypasses network controls;
Classroom Spy, a remote administration tool originally designed for classroom monitoring.

These tools are deployed to infiltrate, maintain persistence, and control infected systems across targeted financial environments.

PowerShell scripts are used to deploy Classroom Spy, extract it from compressed files, and install it as a service. Once operational, the tool enables live monitoring, keylogging, file exfiltration, webcam access, and audio recording.

The threat actors hide these tools by renaming binaries with system-like names such as vm3dservice.exe or systemsvc.exe to avoid detection.

The attackers leverage legitimate administrative tools and protocols to move laterally within the network, including PsExec and DCOM.

In some cases, they create remote services or schedule tasks that appear to be associated with legitimate software, such as Palo Alto Cortex Services, further disguising malicious activity.

Some implants are packed using loaders written in Nim, designed to only execute on systems that are part of an Active Directory domain, serving as an anti-analysis mechanism.

Hard-coded credentials and IP addresses embedded within the payloads suggest that the attackers customize each implant for its target environment.

They use these credentials to configure PoshC2 as a proxy server, effectively masking command-and-control traffic behind what appears to be legitimate internal communications.

The group also uses Chisel to establish covert tunnels and SOCKS proxies, forwarding traffic to attacker-controlled servers while bypassing network firewalls.

To evade detection, the actors disguise their tools using forged digital signatures, process names, file icons, and file paths, mimicking known brands such as Microsoft, Cortex, and VMware.

This campaign reflects a broader threat trend where initial access brokers play a key role in enabling ransomware groups and espionage actors by selling access into compromised networks.

The commoditization of access increases the risk of follow-on attacks and data breaches in already compromised institutions.

Recommendations for African organizations:

Monitor for unusual PowerShell executions, particularly those involving the installation of remote administration tools.
Inspect scheduled tasks and startup entries for suspicious names or paths mimicking legitimate services.
Review endpoint systems for the presence of binaries like systemsvc.exe, vm3dservice.exe, or CortexUpdater.exe.
Audit the use of administrative tools such as PsExec and DCOM within internal environments.
Watch for tunnelling utilities like Chisel or signs of SOCKS proxy usage within your network.
Deploy network-based threat hunting to detect covert communication with unknown or suspicious external IPs.
Update endpoint and network defences with indicators of compromise (IoCs) from Unit 42’s report.
Train security analysts to recognize techniques used by initial access brokers and monitor for credentials abuse.
Use behavioural detection tools to identify software impersonation through forged icons, paths, and file signatures.