Cybercriminals Abuse Open-Source Tools To Target Africa's Financial Sector

June 27, 2025, 7:25 a.m.

Description

A series of attacks targeting financial organizations across Africa has been observed since July 2023. The threat actor, tracked as CL-CRI-1014, uses open-source and publicly available tools like PoshC2, Chisel, and Classroom Spy to establish attack frameworks, create tunnels for network communication, and perform remote administration. They forge file signatures to disguise their toolset and mask malicious activities. The attackers are suspected to be acting as initial access brokers, creating footholds in financial institutions to sell access on darknet markets. Their playbook includes lateral movement techniques such as creating remote services, executing through DCOM, and using PsExec. The threat actor also employs evasion methods like using packers and signing tools with stolen signatures.

External References

https://unit42.paloaltonetworks.com/cybercriminals-attack-financial-sector-across-africa/
https://otx.alienvault.com/pulse/685d83160bafa66baf5f4fe2
Tags
lateral movement
poshc2
financial sector
chisel
2025-06-26

Date

  • Created: June 26, 2025, 5:27 p.m.
  • Published: June 26, 2025, 5:27 p.m.
  • Modified: June 27, 2025, 7:25 a.m.

Indicators

  • f1919abe7364f64c75a26cff78c3fcc42e5835685301da26b6f73a6029912072
  • f5614dc9f91659fb956fd18a5b81794bd1e0a0de874b705e11791ae74bb2e533
  • e788f829b1a0141a488afb5f82b94f13035623609ca3b83f0c6985919cd9e83b
  • e14b07b67f1a54b02fc6b65fdba3c9e41130f283bfea459afa6bee763d3756f8
  • d81a014332e322ce356a0e2ed11cffddd37148b907f9fdf5db7024e192ed4b70
  • d528bcbfef874f19e11bdc5581c47f482c93ff094812b8ee56ea602e2e239b56
  • bc8b4f4af2e31f715dc1eb173e53e696d89dd10162a27ff5504c993864d36f2f
  • aed1b6782cfd70156b99f1b79412a6e80c918a669bc00a6eee5e824840c870c1
  • a61092a13155ec8cb2b9cdf2796a1a2a230cfadb3c1fd923443624ec86cb7044
  • a41e7a78f0a2c360db5834b4603670c12308ff2b0a9b6aeaa398eeac6d3b3190
  • 9d9cb28b5938529893ad4156c34c36955aab79c455517796172c4c642b7b4699
  • 9149ea94f27b7b239156dc62366ee0f85b0497e1a4c6e265c37bedd9a7efc07f
  • 9a84929e3d254f189cb334764c9b49571cafcd97a93e627f0502c8a9c303c9a4
  • 831d98404ce5e3e5499b558bb653510c0e9407e4cb2f54157503a0842317a363
  • 7e0aa32565167267bce5f9508235f1dacbf78a79b44b852c25d83ed093672ed9
  • 6cfa5f93223db220037840a2798384ccc978641bcec9c118fde704d40480d050
  • 633f90a3125d0668d3aac564ae5b311416f7576a0a48be4a42d21557f43d2b4f
  • 5e4511905484a6dc531fa8f32e0310a8378839048fe6acfeaf4dda2396184997
  • 2ce8653c59686833272b23cc30235dae915207bf9cdf1d08f6a3348fb3a3e5c1
  • 3bbe3f42857bbf74424ff4d044027b9c43d3386371decf905a4a1037ad468e2c
  • 14b2c620dc691bf6390aef15965c9587a37ea3d992260f0cbd643a5902f0c65b
  • 0bb7a473d2b2a3617ca12758c6fbb4e674243daa45c321d53b70df95130e23bc
  • vlety.forwardbanker.com
  • tnn.specialfinanceinsider.com
  • vigio.finartex.com
  • savings.foothillindbank.com
  • mozal.finartex.com
  • health.aqlifecare.com
  • genova.drennonmarketingreviews.com
  • finix.newsnewth365.com
  • flesh.tabtemplates.com
  • bixxler.drennonmarketingreviews.com
Download all indicators here!

Attack Patterns

  • Classroom Spy
  • PoshC2
  • Chisel
  • CL-CRI-1014

Additional Informations

  • Finance
  • Central African Republic
  • South Africa