The OZIE Team: A Nigerian business email compromise threat actor group
Lead Analyst: Jacob Faires, Senior Analyst, Security Threat Intelligence, Global Threat Intelligence Center, US
In August 2019, the NTT Global Threat Intelligence Center (GTIC) began tracking a threat actor group based in Nigeria who specialized in business email compromise (BEC). GTIC has named this group the ‘OZIE Team’. At the time this article was written, the OZIE Team had targeted 852,541 domains since becoming active in 2017.
The OZIE Team is non-discriminatory in their targeting. Targets rotate weekly by country, industry and a combination of the two, with generally no more than two malspam campaigns run from the same virtual private servers (VPS). Targets tend to be chosen first by country, then by industry.
The OZIE Team performs massive reconnaissance spam campaigns against a variety of industries looking for victims. After the reconnaissance campaigns, the OZIE Team will analyze the results and focus on an industry based on the results of their reconnaissance campaigns.
The OZIE Team has specifically targeted organizations in almost every industrialized nation in the world but have a penchant for countries with large manufacturing bases like Singapore, China, the United Kingdom and the United States. The OZIE Team has seen success in milling companies, raw materials suppliers and healthcare product manufacturing, and they have directly targeted the following industries:
- Manufacturing
- Healthcare
- Automotive
- Food distribution
Tactics, techniques and procedures
The OZIE Team is a Nigerian group which relies on commodity malware sold through sites like HackForums.net and private discord groups. In order to purchase the commodity malware, the OZIE Team uses Bitcoin and Bitcoin Cash, or internet payment systems like Perfect Money.
Malware
The OZIE Team constantly changes their tactics to evade detection and increase the success rate of their attacks. The primary goal of the OZIE Team during the initial phase of a campaign is to steal victim’s credentials in order to gain access the victim’s web mail account. The OZIE Team frequently changed which exact malware they used to support these attacks.
In 2019, the OZIE Team ran many malware spam (malspam) campaigns. The group primarily uses the Agent Tesla keylogger but would alternate with the Hawkeye keylogger. The OZIE Team typically sends phishing emails with financial lures to trick the victim into interacting with the malspam. This includes subject lines like ‘Quotation Request’ and ‘Proforma invoice’. To make the malware fully undetectable by antivirus software, the OZIE Team used the Cassandra Crypter for their campaigns. The OZIE Team switched to an Atilla Crypter subscription in the second half of 2019. As the group transitioned into 2020 it has used many different pieces of malware such as the Origin Keylogger, Masslogger, Formbook and FireElement, a private Java remote access trojan (RAT) described in the September GTIC Monthly Threat Report.