Check Point Research has uncovered a two-year-long campaign that is still going and making waves. The campaign starts by using spear-phishing and then sends malicious attachments via email to employees of financial institutions in at least five different French-speaking countries in Africa--Ivory Coast, Morocco, Cameroon, Senegal and Togo.
The entire research report is worth reading in full, which you can find here.
After the initial spear-phishing incursion, the DangerousSavanna campaign, as it's known, installs software to help extract money.
Here's what email looks like. It's written in French:
The general infection flow is this:
This attack is ongoing. However, using Check Point Threat Emulation and email security, this attack was blocked in a customer environment.
This attack showcases the need for comprehensive security. In this case, if the spear phishing email gets through to the inbox and you don't have threat emulation and other malware protections, you're out of luck.