How Hackers Use Free Tools to Attack Banks in Africa — What You Need to Know

Cybersecurity experts have discovered a wave of cyber attacks targeting banks and financial institutions in different parts of Africa. These attacks have been happening since at least July 2023. What’s surprising is that the hackers are not using expensive or custom-made tools. Instead, they are using open-source tools — tools that anyone can download for free from the internet.

These hackers are smart. They use tricks to hide what they’re doing and make it look like they’re running normal programs. They even copy the signatures and icons of trusted software like Microsoft Teams or Palo Alto Cortex, so it’s harder for security systems to catch them.

A cybersecurity research group called Palo Alto Networks Unit 42 is keeping track of this cybercrime activity. They’ve named it CL-CRI-1014 — “CL” stands for “cluster” and “CRI” stands for “criminal.” They believe the hackers’ goal is to break into computer systems and then sell that access to other criminals on the dark web. These types of hackers are known as Initial Access Brokers (IABs).

What Tools Are the Hackers Using?

These cybercriminals are using a mix of free, open-source software tools, including:

• PoshC2 – a tool used for controlling infected computers remotely.

• Chisel – a tool that allows hackers to secretly send information in and out of a network.

• Classroom Spy – a remote access tool originally meant for teachers to monitor students, but now being misused.

Once they get into a network, the attackers usually install these tools to take over systems, move to other devices in the same network, and avoid being detected.

How Do They Break In?

So far, experts don’t know the exact method the hackers are using to get inside these financial systems. But once they’re in, the attackers install other programs like:

• MeshCentral Agent – used to control the computer remotely.

• Classroom Spy – to watch everything users are doing.

• Chisel – to go around firewalls and security blocks.

They also use PoshC2 and make it look like it's part of popular software so that no one suspects anything. To stay inside the system for a long time, they make PoshC2 run automatically using different methods like:

• Creating a new system service

• Placing a shortcut in the Windows startup folder

• Scheduling a fake system task called “Palo Alto Cortex Services”

They may also steal usernames and passwords, and use those to create a proxy, which lets them stay hidden and keep communicating with their command-and-control server.

Why Is This Important?

If you work in the banking or finance sector in Africa — or even run a small business — this is very important. Hackers don’t always go after big companies. They often look for smaller targets that don’t have strong cybersecurity. If they break into your network, they could steal sensitive information or sell access to others who might install ransomware or steal money.

This isn’t the first time tools like PoshC2 have been used in Africa. In 2022, a similar attack campaign called DangerousSavanna targeted banks in Ivory Coast, Cameroon, Senegal, Togo, and Morocco. That time, hackers used email phishing to trick people into downloading malware.

What Else Is Happening in Cybersecurity?

In addition to these attacks in Africa, another threat is growing worldwide. A new ransomware group called Dire Wolf has recently attacked at least 16 companies in the U.S., India, Australia, Canada, and other countries. Their favorite targets include:

• Technology companies

• Manufacturing companies

• Financial services

The Dire Wolf ransomware is built using a language called Golang, and it can do serious damage. It can:

• Stop important system logs (making it harder to trace the attack)

• Shut down over 75 services and 59 programs

• Delete backup copies of data so victims can't recover

While we don’t yet know how Dire Wolf gets into systems, companies are being advised to monitor their systems carefully and follow best practices like using strong passwords, keeping software updated, and training employees on phishing attacks.

How Can You Protect Your Business?

If you own a website, run a business, or manage a bank or fintech company in Africa, here are some important things you should do:

• Use strong and unique passwords for all systems

• Install antivirus software and keep it up to date

• Educate your employees about phishing emails and fake downloads

• Update your software and operating systems regularly

• Use a firewall and intrusion detection system

• Monitor your network for strange behavior

• Use two-factor authentication (2FA) whenever possible

Also, avoid downloading unknown software and be cautious of attachments or links in emails, even if they look like they came from someone you trust.

Cybercrime is growing quickly, and hackers are getting smarter every day. By learning how these attacks work and how to protect yourself, you can help keep your company and customers safe.

Cybersecurity is not just for IT teams anymore. Everyone — from employees to small business owners — must take part in keeping systems secure.