Dubbed "Francophoned," the attacks would usually start with the attackers sending a malware-laden email to an administrative assistant or accountant within the organization, then phoning them directly, impersonating the sender and urging them to open the malicious attachment.
The researchers' reports from May and August 2013 explain well the different tactics used by the attackers, some of which appear to be exceptionally good and versatile social engineers that speak perfect French.
The attackers' initial goal was to make the victims install a RAT on their computers, which allowed them to harvest information that enabled them to empty the organizations' accounts.
It's good to point out that the attackers obviously do some thorough reconnaissance and are often able to target the correct person within the organization (i.e. the person that holds the proverbial strings of the money purse).
The campaigns launched in 2014 by the same group have been modified a little. The phishing and social engineering part of the attack is still the same, the C&C server is the same, but the delivered malicious payload is different.
The new threat used is Trojan.Rokamal, which can be configured to download and execute additional malicious files, steal information, open a back door, mine cryptocurrency, and perform DDoS attacks. But, as the campaigns are targeting organizations, the last two functions are not currently enabled as they would draw unwelcome attention to the malware on the system.
As before, the targeted organizations are mostly French or based in French-speaking countries. As the researchers note, the 110 million native speakers and 190 million that speak it as a second language "present a large pool of potential victims who may not have been targeted as heavily as English speakers."
"Operation Francophoned was specifically crafted to target French speakers and proves that language is a major (and often underestimated) factor in the reach and effectiveness of cybercrime campaigns," they pointed out.