DangerousSavanna Detection: Attacks Targeting Various Financial Orgs Revealed


Security analysts revealed a two-year-long spear-phishing campaign aimed at entities in the financial sector in French-speaking African countries – Morocco, Togo, Ivory Coast, Cameroon, and Senegal. The campaign is codenamed DangerousSavanna, and its operators are heavily relying on social engineering techniques for initial access, consequently employing customized malware such as AsyncRAT, PoshC2, and Metasploit.

The modus operandi of adversaries implies that financial gain is the main motivation for this series of attacks.

Detect DangerousSavanna

Criminal hackers’ tactics and techniques continue to evolve, developing more sophisticated methods to trap organizations across the globe. The SOC Prime’s team of threat hunting engineers has adopted a follow-the-sun methodology to ensure timely delivery of vetted detection content, helping security experts to streamline their proactive cyber defense routine. The following Sigma-based rule released by SOC Prime’s Threat Bounty developer Kyaw Pyiyt Htet detects the traces of breaches characteristic of DangerousSavanna operation attacks:

Suspicious ‘DangerousSavanna’ Campaign Scheduled Task Execution by Detection of Associated Commands (via CmdLine)

The rule can be applied across 26 SIEM, EDR, and XDR solutions supported by SOC Prime’s platform. To ensure enhanced visibility into related threats, the detection is aligned with the MITRE ATT&CK® framework. Using behavior-based Sigma rules tagged with ATT&CK techniques, sub-techniques, and tools, is a tried-and-true approach to improve security posture. Access a rich library of detection content backed by the superb expertise of 600+ Threat Bounty Program researchers and threat hunters, who actively contribute their own detection content to the SOC Prime Platform while receiving recurring rewards for their input. Press the Explore Detections button to browse through a repository hosting 200,000+ context-enriched detection pieces. 

Explore Detections  

DangerousSavanna Analysis

Check Point Research (CPR) has published the results of an in-depth investigation into the long-lasting malicious campaign compromising org in the financial sector located in several Central and Western African countries on September 6, 2022. Security analysts detailed adversaries’ approaches, including them using social engineering tactics to gain illicit access to the victim’s devices and networks. Threat actors used domains that helped them look legit, masquerading as financial companies to lure victims. Adversaries bombarded their targets with phishing emails sent out via Gmail and Hotmail services with weaponized attachments offered for download. These attachments were documents of various types, including .NET-based tools disguised as PDF files. Researchers report of threat actors behind this campaign being particularly persistent, trying out different attack vectors to break into victims’ systems. At the moment of writing this article, there are at least three companies affected.

Post-infection activities included achieving persistence, collecting information, and fetching additional malicious payloads.

Eager to learn more about enhancing your security countermeasures? Join SOC Prime’s Platform to unlock access to the world’s largest pool of detection content created by industry leaders and drive efficiency in your security ecosystem. SOC Prime, headquartered in Boston, US, is powered by an international team of seasoned experts dedicated to enabling collaborative cyber defense.


Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts