Interpol arrests suspected senior member of hacker group OPERA1ER

A suspected senior member of the hacker group OPERA1ER has been arrested in Operation Nervone, conducted jointly by multiple international law enforcement agencies, Interpol said in a press note.

"Following extensive cooperation, Interpol, Afripol, Group-IB, and C?te d'Ivoire's Direction de l’Information et des Traces Technologiques (DITT) are announcing the arrest of a suspected senior member of the group, dealing a significant blow to their criminal activities," Interpol said. 

OPERA1ER -- also known as NX$M$, DESKTOP Group, and Common Raven -- has been operational for over four years. It is a highly organized criminal organization that has targeted financial institutions and mobile banking services with malware, phishing campaigns, and large-scale business email compromise (BEC) scams.

"The group is believed to have stolen an estimated $11 million -- potentially as much as $30 million -- in more than 30 attacks across 15 countries in Africa, Asia, and Latin America," Interpol said. 

Operation Nervone

Operation Nervone was backed by two key Interpol initiatives -- the African Joint Operation against Cybercrime, and the Interpol Support Programme for the African Union, which works with the AU’s Afripol intergovernment police coordination agency. The initiatives are funded by the UK’s Foreign, Commonwealth & Development Office and Germany's Federal Foreign Office, respectively.

"In early June, authorities in C?te d'Ivoire were able to arrest a key suspect linked to attacks against financial institutions across Africa," Interpol said in its release. 

Researchers at Group-IB first identified the group's illicit email campaigns in 2018, when they recognized spear phishing operations responsible for spreading malware such as remote access tools. 

Additional information that helped with the investigation was shared by the Criminal Investigative Division of the US Secret Service and researchers from DarkLabs, a Booz Allen Hamilton cybersecurity team.

The hacker group OPERA1ER

OPERA1ER is a French-speaking, financially motivated hacker group, according to Group-IB. The cybersecurity firm was able to identify at least 30 attacks carried out by OPERA1ER between 2019 and 2021. The group successfully compromised payment and Internet banking systems in all these attacks.

In at least two banks, OPERA1ER was able to access the SWIFT messaging interface, which is used to communicate the details of financial transactions. 

The group used spear phishing emails as their initial attack vector. The emails contained links to Google Drive, Discord servers, compromised legitimate websites, and malicious servers, which belong to the threat actor. Most of the emails were written in French, however, researchers also reported emails written in English. "Furthermore, this email targeted only 18 users in the same country all linked to financial services associated with the topic and some VIPs," Group-IB said in the report.

The group used multiple payloads including NanoCore, H-Worm (Houdini Worm), WSH Rat, Remcos, Adwind, or QNodeJS between 2019 and 2020. 

"Once an initial RAT is deployed, operators analyze compromised machines. When a machine of interest is infected, Metasploit Meterpreter or Cobalt Strike Beacon is downloaded and launched," Group-IB said in the research, adding that the group typically waited for a year after the initial intrusion and the final payload execution.

The group would finally withdraw the stolen money as cash through an extensive network of ATMs over holidays or weekends to avoid detection. There were also links found between OPERA1ER and a cybercriminal group, Bluebottle, that used a signed Windows driver in attacks against at least three banks in French-speaking African countries, according to Symantec.