Skip links

Cops’ Killer Bee stings credential-stealing scammer

An Interpol-led operation code-named Killer Bee has led to the arrest and conviction of a Nigerian man who was said to have used a remote access trojan (RAT) to reroute financial transactions and steal corporate credentials. Two suspected accomplices were also nabbed.

The trio, aged between 31 and 38, were detained as part of a sting operation involving law enforcement agencies across 11 countries: Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Nigeria, Philippines, Singapore, Thailand, and Vietnam. 

The suspects were arrested in the Lagos suburb of Ajegunle and in Benin City, Nigeria. At the time of their arrests, all three men were in possession of fake documents, including fraudulent invoices and forged official letters, it is claimed.

Interpol linked the suspects to a syndicate of Nigerian fraudsters using a RAT known as Agent Tesla to access business computers and divert monetary transactions to their own accounts.

While the cops didn’t disclose how much money the crooks allegedly stole, we’re told the corporations targeted included oil and gas companies in Southeast Asia, the Middle East, and North Africa. One of the scammers, Hendrix Omorume, was charged and convicted of three counts of serious financial fraud, and now faces 12 months behind bars, according to Interpol. The two other men are still on trial.

“Through its global police network and constant monitoring of cyberspace, Interpol had the globally sourced intelligence needed to alert Nigeria to a serious security threat where millions could have been lost without swift police action,” the police organization’s director of cybercrime Craig Jones said in a statement.

Just last week Interpol and cops in Africa arrested another Nigerian man suspected of running a multi-continent cybercrime ring that specialized in phishing emails targeting businesses.

That year-long initiative, code-named Operation Delilah, also involved international law enforcement and started with intelligence from cybersecurity companies Group-IB, Palo Alto Networks Unit 42, and Trend Micro.

Agent Tesla RAT

We’re told the Killer Bee operation was also based on intelligence received from Trend Micro about the emergence and usage of Agent Tesla malware.  

The security shop’s researchers discovered the spyware being delivered via phishing email to log keystrokes as well as steal credentials from various Windows applications in late 2019. 

The RAT, which first appeared in 2014, uses multiple techniques to evade detection, according to Qualys threat researchers. Once Agent Tesla is deployed, it can perform all sorts of nefarious acts including keylogging, screen capture, form-grabbing, and credential stealing.

“It will also exfiltrate credentials from multiple software programs like Google Chrome, Mozilla Firefox, and Microsoft Outlook — making its potential impact truly catastrophic,” Qualys Principal Research Engineer Ghanshyam More wrote in a technical analysis earlier this year. ®