DangerousSavanna is a two-year campaign targeting financial institutions in French-speaking Africa, employing spear-phishing and a diverse set of infection chains to deploy PoshC2 and AsyncRAT. The operation features evolving lures, modular payloads, and extensive post-infection activities, including evasion, persistence, and reconnaissance to maximize financial gains. hashtags: #DangerousSavanna #PoshC2 #AsyncRAT #DWService #PasteCNet #NedbankZA #IvoryCoast
Keypoints
- DangerousSavanna targets major financial services firms in five French-speaking African countries using spear-phishing with malicious attachments.
- Attackers mix self-written tools with open-source frameworks (PoshC2, DWService, AsyncRAT) to control infected hosts.
- Phishing lures evolve from macro-enabled documents to a wide range of file types, including PDFs, ZIPs, and ISO containers, with lookalike domains to boost credibility.
- Initial access often delivers a PowerShell backdoor and a PoshC2 implant, with AMSI and ETW bypasses used to evade defenses.
- Attackers employ process injection (RuntimeBroker.exe, iexpress.exe) and multiple persistence techniques (WinComp.bat, slmgr.vbs, scheduled tasks).
- Reconnaissance and credential access activities include screen captures, IP/config discovery, ARP scans, and memory dumps to extract RDP credentials.
- The campaign also deploys additional tools (DWService, CrackMapExe, WSL) and a keylogger, indicating a broader toolkit and operational breadth.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – ‘The infection starts with spear-phishing emails written in French, usually sent to several employees of the targeted companies.’
- [T1566.003] Spearphishing via Service – ‘lookalike domains, impersonating other financial institutions in Africa…’
- [T1218.009] Signed Binary Proxy Execution: LNK – ‘the LNK file is executed, downloads from the server and executes PowerShell commands.’
- [T1059.001] PowerShell – ‘PowerShell commands, which perform AMSI bypass and eventually install the PoshC2 implant.’
- [T1562.001] Impair Defenses: AMSI Bypass / ETW Bypass – ‘AMSI bypass and… ETwEventWrite bypass techniques.’
- [T1055] Process Injection – ‘they inject shellcode into RuntimeBroker.exe and iexpress.exe…’
- [T1053.005] Scheduled Task / Job – ‘persistence: create a scheduled task to run slmgr.vbs every 5 minutes, and two different scheduled tasks to execute WinComp.bat every 6 hours.’
- [T1113] Screen Capture – ‘Get-Screenshot’ reconnaissance command.
- [T1016] System Network Configuration Discovery – ‘Get-Ipconfig’ script to collect network information.
- [T1082] System Information Discovery – ‘Get-ComputerInfo’ to gather hardware and networking data.
- [T1046] Network Service Scanning – ‘Invoke-Arpscan’ performs ARP scanning over network interfaces.
- [T1003] Credential Dumping – ‘memory dump of the svchost.exe process… to extract… RDP credentials.’
- [T1056.001] Input Capture: Keylogging – ‘LoggerStamp… keylogger.log’ to record keystrokes.
Indicators of Compromise
- [IP] network – 15.236.51.204, 3.8.126.182, 35.181.50.113, 137.116.142.70, 170.130.172.46
- [Domain] infrastructure / hosting – paste.c-net.org, iplogger.org, 4sync.com, nedbank.za.com, nedbankplc.4nmn.com
- [File hash] sample dropper/macros – 7b8d0b4e718bc543de4a049e23672d79, a09b19b6975e090fb4eda6ced1847b1
- [File] Nouvelles Reformes 2021.pdf.exe (example dropper), WinTray.exe, WinComp.bat, slmgr.vbs
- [URL] C2/Dropper hosts – http://nedbankplc.4nmn.com, http://4sync.com/web/directDownload/…