Researchers at Check Point have discovered a spear phishing campaign dubbed “DangerousSavanna” that’s targeting financial entities in at least five African countries.

The campaign has been running for at least two years, and has targeted organizations in Ivory Coast, Morocco, Cameroon, Senegal, and Togo. The researchers believe the campaign is financially motivated.

“DangerousSavanna targets medium or large finance-related enterprises which operate across multiple African countries,” the researchers write.

“The companies that belong to these financial groups provide a wide range of banking products and services, and include not only banks but also insurance companies, microfinancing companies, financial holding companies, financial management companies, financial advisory services, etc. Despite the relatively low complexity of their tools, we observed the signs that might point out that the attackers managed to infect some of their targets. This was most likely due to the actors’ persistent attempts at infiltration. If one infection chain didn’t work out, they changed the attachment and the lure and tried targeting the same company again and again trying to find an entry point. With social engineering via spear-phishing, all it takes is one incautious click by an unsuspecting user.”

The phishing emails are written in French, the primary or official language of the targeted countries.

“The infection starts with spear-phishing emails written in French, usually sent to several employees of the targeted companies, all of which are medium to large financial groups in French-speaking Africa,” the researchers write. “In the early stages of the campaign, the phishing emails were sent using Gmail and Hotmail services. To increase their credibility, the actors began to use lookalike domains, impersonating other financial institutions in Africa such as the Tunisian Foreign bank, Nedbank, and others. For the last year, the actors also used spoofed email addresses of a local insurance advisory company whose domain doesn’t have an SPF record.”

Check Point believes that the attackers will continue improving their social engineering techniques and malware.
“This campaign, which has been running for almost two years, often changes its tools and methods, demonstrating the actors’ knowledge of open-source tools and penetration testing software,” the researchers write. “We expect that this campaign, which shows no signs of stopping or slowing down, will continue to adjust its operations and methods with an eye to maximizing its financial gain.”