Cybercriminals Abuse Open-Source Tools to Target Africa’s Financial Sector

    Wednesday, June 25, 2025 In: Threat Research Print

    Date: 06/25/2025

    Severity: High

    Summary

    Since at least July 2023, a threat group tracked as CL-CRI-1014 has been targeting financial institutions across Africa. These attackers use open-source tools like PoshC2, Chisel, and Classroom Spy to establish remote access and create communication tunnels. They forge file signatures by mimicking legitimate software to evade detection. The group is believed to be acting as an initial access broker—gaining entry to networks and selling that access on dark web markets. Their tactics emphasize the growing abuse of legitimate open-source tools for malicious purposes. 

    Indicators of Compromise (IOC) List 

    URL/Domain

    finix.newsnewth365.com

    mozal.finartex.com

    vigio.finartex.com

    bixxler.drennonmarketingreviews.com

    genova.drennonmarketingreviews.com

    savings.foothillindbank.com

    tnn.specialfinanceinsider.com

    ec2-18-140-227-82.ap-southeast-1.compute.amazonaws.com

    c2-51-20-36-117.eu-north-1.compute.amazonaws.com

    flesh.tabtemplates.com

    health.aqlifecare.com

    vlety.forwardbanker.com

    Hash

    3bbe3f42857bbf74424ff4d044027b9c43d3386371decf905a4a1037ad468e2c

    9149ea94f27b7b239156dc62366ee0f85b0497e1a4c6e265c37bedd9a7efc07f

    a41e7a78f0a2c360db5834b4603670c12308ff2b0a9b6aeaa398eeac6d3b3190

    0bb7a473d2b2a3617ca12758c6fbb4e674243daa45c321d53b70df95130e23bc

    14b2c620dc691bf6390aef15965c9587a37ea3d992260f0cbd643a5902f0c65b

    9d9cb28b5938529893ad4156c34c36955aab79c455517796172c4c642b7b4699

    e14b07b67f1a54b02fc6b65fdba3c9e41130f283bfea459afa6bee763d3756f8

    a61092a13155ec8cb2b9cdf2796a1a2a230cfadb3c1fd923443624ec86cb7044

    7e0aa32565167267bce5f9508235f1dacbf78a79b44b852c25d83ed093672ed9

    d81a014332e322ce356a0e2ed11cffddd37148b907f9fdf5db7024e192ed4b70

    d528bcbfef874f19e11bdc5581c47f482c93ff094812b8ee56ea602e2e239b56

    f1919abe7364f64c75a26cff78c3fcc42e5835685301da26b6f73a6029912072

    633f90a3125d0668d3aac564ae5b311416f7576a0a48be4a42d21557f43d2b4f

    bc8b4f4af2e31f715dc1eb173e53e696d89dd10162a27ff5504c993864d36f2f

    9a84929e3d254f189cb334764c9b49571cafcd97a93e627f0502c8a9c303c9a4

    5e4511905484a6dc531fa8f32e0310a8378839048fe6acfeaf4dda2396184997

    e788f829b1a0141a488afb5f82b94f13035623609ca3b83f0c6985919cd9e83b

    2ce8653c59686833272b23cc30235dae915207bf9cdf1d08f6a3348fb3a3e5c1

    831d98404ce5e3e5499b558bb653510c0e9407e4cb2f54157503a0842317a363

    f5614dc9f91659fb956fd18a5b81794bd1e0a0de874b705e11791ae74bb2e533

    aed1b6782cfd70156b99f1b79412a6e80c918a669bc00a6eee5e824840c870c1

    6cfa5f93223db220037840a2798384ccc978641bcec9c118fde704d40480d050

    831d98404ce5e3e5499b558bb653510c0e9407e4cb2f54157503a0842317a363

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "genova.drennonmarketingreviews.com" or siteurl like "genova.drennonmarketingreviews.com" or url like "genova.drennonmarketingreviews.com" or domainname like "finix.newsnewth365.com" or siteurl like "finix.newsnewth365.com" or url like "finix.newsnewth365.com" or domainname like "health.aqlifecare.com" or siteurl like "health.aqlifecare.com" or url like "health.aqlifecare.com" or domainname like "mozal.finartex.com" or siteurl like "mozal.finartex.com" or url like "mozal.finartex.com" or domainname like "vigio.finartex.com" or siteurl like "vigio.finartex.com" or url like "vigio.finartex.com" or domainname like "bixxler.drennonmarketingreviews.com" or siteurl like "savings.foothillindbank.com" or url like "savings.foothillindbank.com" or domainname like "tnn.specialfinanceinsider.com" or siteurl like "tnn.specialfinanceinsider.com" or url like "tnn.specialfinanceinsider.com" or domainname like "ec2-18-140-227-82.ap-southeast-1.compute.amazonaws.com" or siteurl like "ec2-18-140-227-82.ap-southeast-1.compute.amazonaws.com" or url like "ec2-18-140-227-82.ap-southeast-1.compute.amazonaws.com" or domainname like "c2-51-20-36-117.eu-north-1.compute.amazonaws.com" or siteurl like "c2-51-20-36-117.eu-north-1.compute.amazonaws.com" or url like "c2-51-20-36-117.eu-north-1.compute.amazonaws.com" or domainname like "flesh.tabtemplates.com" or siteurl like "flesh.tabtemplates.com" or url like "flesh.tabtemplates.com"

    Detection Query 2 : 

    sha256hash IN ("9a84929e3d254f189cb334764c9b49571cafcd97a93e627f0502c8a9c303c9a4","d528bcbfef874f19e11bdc5581c47f482c93ff094812b8ee56ea602e2e239b56","e788f829b1a0141a488afb5f82b94f13035623609ca3b83f0c6985919cd9e83b","7e0aa32565167267bce5f9508235f1dacbf78a79b44b852c25d83ed093672ed9","2ce8653c59686833272b23cc30235dae915207bf9cdf1d08f6a3348fb3a3e5c1","5e4511905484a6dc531fa8f32e0310a8378839048fe6acfeaf4dda2396184997","e14b07b67f1a54b02fc6b65fdba3c9e41130f283bfea459afa6bee763d3756f8","9d9cb28b5938529893ad4156c34c36955aab79c455517796172c4c642b7b4699","831d98404ce5e3e5499b558bb653510c0e9407e4cb2f54157503a0842317a363","f1919abe7364f64c75a26cff78c3fcc42e5835685301da26b6f73a6029912072","d81a014332e322ce356a0e2ed11cffddd37148b907f9fdf5db7024e192ed4b70","6cfa5f93223db220037840a2798384ccc978641bcec9c118fde704d40480d050","3bbe3f42857bbf74424ff4d044027b9c43d3386371decf905a4a1037ad468e2c","9149ea94f27b7b239156dc62366ee0f85b0497e1a4c6e265c37bedd9a7efc07f","a41e7a78f0a2c360db5834b4603670c12308ff2b0a9b6aeaa398eeac6d3b3190","0bb7a473d2b2a3617ca12758c6fbb4e674243daa45c321d53b70df95130e23bc","14b2c620dc691bf6390aef15965c9587a37ea3d992260f0cbd643a5902f0c65b","a61092a13155ec8cb2b9cdf2796a1a2a230cfadb3c1fd923443624ec86cb7044","633f90a3125d0668d3aac564ae5b311416f7576a0a48be4a42d21557f43d2b4f","bc8b4f4af2e31f715dc1eb173e53e696d89dd10162a27ff5504c993864d36f2f","831d98404ce5e3e5499b558bb653510c0e9407e4cb2f54157503a0842317a363","f5614dc9f91659fb956fd18a5b81794bd1e0a0de874b705e11791ae74bb2e533","aed1b6782cfd70156b99f1b79412a6e80c918a669bc00a6eee5e824840c870c1")

    Reference:    

    https://unit42.paloaltonetworks.com/cybercriminals-attack-financial-sector-across-africa/


    Tags

    Threat ActorCL-CRI-1014Financial ServicesPoshC2ChiselClassroom Spy

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.