MalwareBytes cybersecurity experts find 4 campaigns to spread a RAT with different baits but the same custom malware.
Palo Alto Networks Unit 42: Silver Terrier is the code name of the cybercrime groups in Nigeria, specialized in the Business Email Compromise (BEC) scam
Silver Terrier is the code name of the cybercrime groups in Nigeria, specialized in the Business Email Compromise (BEC) scam. The phenomenon has been tracked by Palo Alto Networks Unit 42 cybersecurity experts, who identified 540 distinct clusters of activity which we associate with Nigerian actors and groups. Seeking to understand these actors and their behaviors better, in 2016 they started working to identify commonalities among the actors. In 2017, the threat continued to expand to over 300 actors or groups and in 2018 they surpassed 400, as the number of attempted attacks against the company customers climbed to an average of 28,227 per month. Additionally, researchers began to observe a shift away from simple information stealers as more actors started to embrace RATs, which afforded greater capabilities. By the end of 2019, this shift in tools had progressed to an established trend, as informational stealer usage declined steadily, while RAT adoption grew an impressive 140% year over year. Finally, in 2020 threat groups paused their traditional invoice- and package delivery-related phishing campaigns, in favor of pandemic-related themes.
The identikit of the Nigerian cybercrime groups
According the cybersecurity researchers, Nigerian Silver Terrier cybercrime actors were originally:
- Living Comfortably – The actors were predominantly from the cities of Owerri, Lagos, Enugu, Warri and Port Harcourt in the southwest/coastal region of Nigeria. The majority stayed close to friends and family, where they lived quite comfortably based on the favorable exchange rate between foreign currency and the Nigerian naira. Their social media accounts often flaunted their criminal successes with pictures of foreign currency, huge homes and luxury vehicles such as Range Rovers. Additionally, some of the more successful actors traveled abroad to places like the United Kingdom and Malaysia, where they quickly reestablished their criminal operations.
- Educated – Many of the actors had attended technical secondary school and went on to obtain undergraduate degrees from federal or regionally aligned technical university programs.
- Adults – The actors ranged in age from late teenage years to adults in their mid-40s, thus representing a wide range of generations participating in the criminal activity. The older actors were often found to have evolved to BEC activity from other legacy forms of advanced fee scams, while the younger actors graduating with fresh university degrees began their criminal careers by jumping straight into malware campaigns.
- Not Hiding – While a small subset of the actors went to great lengths to conceal their identities, the culture within Nigeria at the time allowed for a permissive environment for these types of illicit activities. As a result, the actors frequently applied little effort toward maintaining anonymity and often combined fake names or aliases with local street addresses, phone numbers and personal email addresses when registering their malicious domains. In doing so, we found that it was often easy to link these users to their social media and networking accounts on platforms such as Facebook, Google+, LinkedIn, Twitter, Skype, Yahoo Messenger and so on.
- Becoming Organized – Early in the evolution of BEC, we saw that small clusters of actors were beginning to communicate, cooperate, and share tools and techniques. Most commonly, this took the form of an experienced actor standing up malware infrastructure for their friends or younger protégés. Alternatively, we saw actors sponsoring other actors for access to hacking forums, but while there were occasionally large groups of actors working together, such cases were believed to be rare.
Who is Silver Terrier today
In 2021, however, Palo Alto Networks Unit 42 detected that the majority of the cybercrime Nigerian actors continue to be well educated, having completed both secondary and university programs. As these actors age, “we see a notable decline in criminal activity as actors reach their mid to late 30s. While the exact reason is difficult to pinpoint, we believe that the decline may be due in part to actor maturation, including an interest in reducing risks as they start families, or simply that they have earned enough through their criminal exploits that they wish to pivot to legitimate business ventures. Conversely, it’s also worth noting that we rarely see young children or teenagers involved in this type of malicious activity. New actors entering the space tend to be in their late teens and early 20s. On the younger side, technical skills and education, more than anything, remain a firm barrier to entry for this type of criminal activity”.
Nigerian and international Police forces are reacting against the BEC scams
Furthermore, half a decade of change in Nigeria, as well as improved global awareness of the BEC threat, have had a positive effect in driving reductions in how brazenly these actors operate. The Nigerian Federal Police (NFP) and Economic and Financial Crimes Commission (EFCC) have demonstrated significant growth and outcomes in their efforts to combat this threat and routinely post pictures of the actors they arrest on Twitter accounts. Aiding their efforts, organizations like INTERPOL, the FBI and the Australian Federal Police (AFP) have worked to collaborate internationally to enable global prosecution efforts. Concurrently, in the technology space, there have been mixed developments as collaborative platforms like Yahoo Messenger and Google+ were retired, while privacy improvements across social media platforms have impacted attribution efforts. As for the actors themselves, they have faced growing awareness of the risks associated with their criminal activity as the culture in Nigeria has evolved. While social media accounts may still flaunt their wealth, today it is far less common to see the posts openly discussing illegal activities, pictures of foreign currency or other content that may draw unwanted law enforcement attention.