It’s a Smooth OPERA1ER - Steals Millions from Banks and Telcos

Top details

• The French-speaking cybercriminal group has claimed over 35 victims between 2018 and 2022.
• It has stolen around $30 million over four years, across Africa, Paraguay, Argentina, and Bangladesh.
• OPERA1ER, ad observed, leverages commodity malware and open-source tools, along with frameworks such as Cobalt Strike and Metasploit, in its attack campaigns.

Attack tactic

• The initial attack vector is spear-phishing and its target list is accurately designed to attack a certain team within a certain organization.
• Most of the time, the spear-phishing messages pretend to be from the government tax office or a hiring agent from an African bank. 
• Some of the malware used by the group include NanoCore, AgentTesla, VenomRAT, and others.

Motive

• Usually, OPERA1ER targets accounts that control huge amounts of money and uses stolen credentials to transfer that money into Channel Users accounts.
• The funds were, subsequently, transferred to subscriber accounts under the group’s control. 
• The stolen credentials are, furthermore, used to access email accounts and conduct lateral phishing. 
• The cash is withdrawn via a network of ATMs. In one case, more than 400 mule subscriber accounts were used to siphon the funds.

Obfuscation

• OPERA1ER uses DynDNS services and proxy layers depending on the mobile internet, to hide its backend address. 
• To obfuscate its infrastructure, the group uses VPN services, such as Cloudflare, FrootVPN, and AzireVPN. 
• In addition to the above, the attackers use a wide range of mobile internet IP addresses, most of which are located in Ivory Coast.

The bottom line