Nairobi and East African Cyber Gangs Increase in Numbers as Heists expands to other industries

For the last few months, OnNet has witnessed a growth of new cyber gangs with some that broke off the major known groups and using some of the TTPs noticed from those groups. Though OnNet is still collecting and attributing to these so “new” operational actors behind the heists, a new wave of attacking Education Centers, Travel/Accommodation companies, Insurance organizations and hospitals has increased. One of major actors behind most of these intrusions are from a faction that broke out of SilentCads late 2019 to form a Finacial Threat group tracked by OnNet as The Consultants. Late 2019, after a money heist from a Crediting firm, OnNet team running counter cyber against this group, witnessed several uploads of scanned customer cheques to a Command Control server overseas during a penetration and active heist by The Consultants. This was also witnessed on accomodation and travel company in Nairobi that lost a lot of funds this January, 2020.

The Consultant have evolved to use of dwagent from www.dwservice.net which allows them to deploy an agent written as a service in C/C++ winapi as seen below.

void WINAPI ServiceMain(DWORD argc, LPWSTR *argv);
void WINAPI ServiceCtrlHandler(DWORD Opcode);

typedef bool (*FUPDATER)();
typedef void (*CallbackType)(const wchar_t*);
typedef bool (*FCALLBACKLOG)(CallbackType);

void trim(wstring& str, wchar_t c) {
    string::size_type pos = str.find_last_not_of(c);
    if (pos != string::npos) {
        str.erase(pos + 1);
        pos = str.find_first_not_of(c);
        if (pos != string::npos) str.erase(0, pos);
    } else str.erase(str.begin(), str.end());
}

Dwagent as service has other utils like screencapture which is used by The Consultants teams to deploy capability to either view screen and capture screenshots during a cyber intrusion of a targeted organization.

The Remote Access Tool also has several python scripts for resources needed by the agent and for sustaining audit trail of each connection by disservice. The logs generated by dwagent always disclose an incredible detailed information about the actor behind the screen during the intrusion..

The Terminal capability on a targeted system is run via a python toolkit as shown.

SHELL_INTERVALL_TIMEOUT = 45; #Seconds

class Shell():
    
    def __init__(self, agent_main):
        self._agent_main=agent_main
        self._list = {}
        self._list_semaphore = threading.Condition()
    
    def destroy(self,bforce):
        if not bforce:
            self._list_semaphore.acquire()
            try:
                if len(self._list)>0:
                    return False
            finally:
                self._list_semaphore.release()            
        return True

This actor changes the name of the installation folder to hide the service directory of this Remote Access Toolkit, but this service spawns a process called dwagent.exe that connects to 85.10.192.135.

This actor has almost the same type of keylogger Silentcards uses, but with a few changes. During development of the code the actors named the python scripts, either voda.py or koko.py on their laptops/PCs. The keylogger is currently tracked as KoKologger by OnNet CTI team.

https://www.virustotal.com/gui/file/86b3d95efad0a74c324e3cc17156e511e5323a8a50a97df1d123a5f848d39902/detection

MD5 928f59d3701e9572c36530a526698372

SHA-1 193b25d17060ea878e0ef3a30419d561245621ebSHA-25686b3d95efad0a74c324e3cc17156e511e5323a8a50a97df1d123a5f848d39902