Skip to main content

Cybercriminals Abuse Open-Source Tools To Target Africa's Financial Sector

Medium
Published: Thu Jun 26 2025 (06/26/2025, 17:27:50 UTC)
Source: AlienVault OTX General

Description

A series of attacks targeting financial organizations across Africa has been observed since July 2023. The threat actor, tracked as CL-CRI-1014, uses open-source and publicly available tools like PoshC2, Chisel, and Classroom Spy to establish attack frameworks, create tunnels for network communication, and perform remote administration. They forge file signatures to disguise their toolset and mask malicious activities. The attackers are suspected to be acting as initial access brokers, creating footholds in financial institutions to sell access on darknet markets. Their playbook includes lateral movement techniques such as creating remote services, executing through DCOM, and using PsExec. The threat actor also employs evasion methods like using packers and signing tools with stolen signatures.

AI-Powered Analysis

AILast updated: 06/26/2025, 21:05:25 UTC

Technical Analysis

Since July 2023, a cybercriminal group identified as CL-CRI-1014 has been conducting targeted attacks against financial institutions across Africa. This threat actor leverages open-source and publicly available tools such as PoshC2, Chisel, and Classroom Spy to build flexible attack frameworks. PoshC2 is a well-known post-exploitation framework used for command and control (C2), Chisel is used to create encrypted tunnels for network communication, and Classroom Spy is a remote administration tool. By combining these tools, the attackers establish persistent footholds within victim networks, enabling remote control and data exfiltration. To evade detection, the attackers forge file signatures, making their malicious tools appear legitimate, and use packers and stolen digital signatures to mask their malware binaries. Their operational playbook includes lateral movement techniques such as creating remote services, executing commands via Distributed Component Object Model (DCOM), and leveraging PsExec for remote code execution. These techniques allow the threat actor to move laterally within compromised networks, escalating privileges and expanding access. The group is suspected to act as initial access brokers, compromising financial organizations and then selling access on darknet markets to other malicious actors. The attack chain involves sophisticated evasion and persistence mechanisms, including the use of scheduled tasks (T1053.005), masquerading (T1036.005), and code injection (T1055). Although no known exploits are currently reported in the wild for specific vulnerabilities, the use of legitimate tools and stolen signatures complicates detection and mitigation efforts. The threat is categorized as medium severity, reflecting the moderate but significant risk posed by these targeted intrusions.

Potential Impact

For European organizations, particularly those with financial ties or partnerships with African institutions, this threat poses a risk of indirect exposure through supply chain or third-party relationships. If European financial entities share infrastructure, data, or have interconnected networks with African counterparts, the lateral movement and persistence techniques used by CL-CRI-1014 could facilitate cross-border compromise. Additionally, European financial institutions could become targets if the threat actor expands operations or if similar tactics are adopted by other groups. The use of open-source tools and stolen signatures increases the difficulty of detection, potentially leading to prolonged undetected intrusions, data breaches, financial fraud, and reputational damage. The threat actor’s role as an initial access broker suggests that compromised access could be sold to other malicious actors, increasing the risk of ransomware, data theft, or espionage campaigns affecting European financial sectors. The medium severity rating indicates that while the threat is not currently critical, the sophistication and persistence of the actor warrant proactive defensive measures.

Mitigation Recommendations

European financial organizations should implement advanced threat detection capabilities focused on identifying the use of legitimate administrative tools in suspicious contexts, such as PoshC2, Chisel, and Classroom Spy. Network segmentation and strict access controls can limit lateral movement opportunities. Employing application whitelisting and monitoring for anomalous process execution, especially for remote service creation and DCOM or PsExec usage, can help detect malicious activity. Digital signature validation should be enhanced to detect forged or stolen certificates, and endpoint detection and response (EDR) solutions should be tuned to identify packer usage and code injection techniques. Organizations should conduct regular threat hunting exercises focusing on indicators of lateral movement and persistence tactics outlined in the MITRE ATT&CK framework (e.g., T1053.005, T1036.005, T1055). Supply chain risk assessments should include scrutiny of African financial partners to identify potential exposure. Finally, employee training on social engineering and phishing risks remains critical, as initial access often involves user interaction.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://unit42.paloaltonetworks.com/cybercriminals-attack-financial-sector-across-africa/"]
Adversary
CL-CRI-1014
Pulse Id
685d83160bafa66baf5f4fe2
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hashf26c3cd4209492b699131d29b76d941a
hashc787636df481e1075db49c96d696de8dc6198e26
hash0bb7a473d2b2a3617ca12758c6fbb4e674243daa45c321d53b70df95130e23bc
hash14b2c620dc691bf6390aef15965c9587a37ea3d992260f0cbd643a5902f0c65b
hash2ce8653c59686833272b23cc30235dae915207bf9cdf1d08f6a3348fb3a3e5c1
hash3bbe3f42857bbf74424ff4d044027b9c43d3386371decf905a4a1037ad468e2c
hash5e4511905484a6dc531fa8f32e0310a8378839048fe6acfeaf4dda2396184997
hash633f90a3125d0668d3aac564ae5b311416f7576a0a48be4a42d21557f43d2b4f
hash6cfa5f93223db220037840a2798384ccc978641bcec9c118fde704d40480d050
hash7e0aa32565167267bce5f9508235f1dacbf78a79b44b852c25d83ed093672ed9
hash831d98404ce5e3e5499b558bb653510c0e9407e4cb2f54157503a0842317a363
hash9149ea94f27b7b239156dc62366ee0f85b0497e1a4c6e265c37bedd9a7efc07f
hash9a84929e3d254f189cb334764c9b49571cafcd97a93e627f0502c8a9c303c9a4
hash9d9cb28b5938529893ad4156c34c36955aab79c455517796172c4c642b7b4699
hasha41e7a78f0a2c360db5834b4603670c12308ff2b0a9b6aeaa398eeac6d3b3190
hasha61092a13155ec8cb2b9cdf2796a1a2a230cfadb3c1fd923443624ec86cb7044
hashaed1b6782cfd70156b99f1b79412a6e80c918a669bc00a6eee5e824840c870c1
hashbc8b4f4af2e31f715dc1eb173e53e696d89dd10162a27ff5504c993864d36f2f
hashd528bcbfef874f19e11bdc5581c47f482c93ff094812b8ee56ea602e2e239b56
hashd81a014332e322ce356a0e2ed11cffddd37148b907f9fdf5db7024e192ed4b70
hashe14b07b67f1a54b02fc6b65fdba3c9e41130f283bfea459afa6bee763d3756f8
hashe788f829b1a0141a488afb5f82b94f13035623609ca3b83f0c6985919cd9e83b
hashf1919abe7364f64c75a26cff78c3fcc42e5835685301da26b6f73a6029912072
hashf5614dc9f91659fb956fd18a5b81794bd1e0a0de874b705e11791ae74bb2e533

Domain

ValueDescriptionCopy
domainbixxler.drennonmarketingreviews.com
domainfinix.newsnewth365.com
domainflesh.tabtemplates.com
domaingenova.drennonmarketingreviews.com
domainhealth.aqlifecare.com
domainmozal.finartex.com
domainsavings.foothillindbank.com
domaintnn.specialfinanceinsider.com
domainvigio.finartex.com
domainvlety.forwardbanker.com

Threat ID: 685db273ca1063fb8748d2aa

Added to database: 6/26/2025, 8:49:55 PM

Last enriched: 6/26/2025, 9:05:25 PM

Last updated: 8/17/2025, 9:25:38 AM

Views: 42

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats