Over the years, cyber criminals hailing from Nigeria have developed a reputation for amateurish and crude “419” spam emails that are easily spotted and ignored, but threat actors in the country are now deploying highly-sophisticated business email compromise (BEC) attacks, and are a live and dangerous threat to organisations around the world, according to Peter Renals of Palo Alto Networks’ Unit 42 threat research department.
BEC attacks have emerged as one of the most profitable and prominent threats facing organisations – accounting for over $26bn (£20.6bn/€23.4bn) of losses globally since 2017, according to recent FBI statistics – and eclipsing estimated global losses from high profile cyber security incidents such as WannaCry and NotPetya.
Unit 42 has been tracking a group of Nigerian cyber criminals, collectively dubbed SilverTerrier, from humble beginnings six years ago as a few individuals experimenting with commodity malware attacks, to encompass a group of over 480 threat actors and groups now operating out of the country.
“In five years from 2014 to 2019, SilverTerrier actors have evolved from being novice threat adversaries to mature cyber criminals,” said Renals in a disclosure blog.
“According to our latest findings, we saw an 1163% increase in BEC attacks against the professional and legal services industry in 2019. While we lack insight into the root cause, this jump nevertheless demonstrates a significant shift in targeting practices amongst SilverTerrier actors.”
Unit 42 revealed that the group was sent out thousands, sometimes hundreds of thousands of BEC attacks every month during 2019, a significant spike on its activity in 2018, and that virtually all of its attacks leveraged email protocols to reach target networks.
Simple Mail Transfer Protocol (SMTP) traffic accounted for 69% of attacks, Post Office Protocol 3 (POP3) and Internet Message Access Protocol (IMAP) accounted for 26% and 2.8%, reflecting a trend towards SMTP as an industry standard. Beyond this, web browsing accounted for 1.9% of attacks, and attacks through file transfer protocol (FTP) traffic accounted for 0.3%.
Once a network has been infiltrated, the group tends to use information stealers and remote administration tools (also known as remote access trojans or Rats), and it is here that Unit 42 said SilverTerrier had now evolved to a point where it must be considered on par with other established threat groups.
During 2019, Palo Alto’s WildFire malware analysis service found over 27,000 samples of SilverTerrier malware, most of them commodity tools employing various obfuscation techniques to deceive legacy antivirus products. A comparison of samples to VirusTotal showed an average detection rate of 57.3%.
SilverTerrier currently uses a number of popular commodity information stealer families against its victims, including AgentTesla, AzoRult, Lokibot, Pony, and PredatorPain, although its use of information stealers has dropped off since 2017, possibly due to a lack of new tools and advancements in the security landscape rendering them less effective.
Its use of Rats, which offer cyber criminals remote access into compromised accounts and are typically more sophisticated than information stealers, has increased over the past five years. SilverTerrier has been observed using 13 different Rats, of which the most popular at the moment are NanoCore and Netwire, although it is also making use of Adwind, DarkComet, Hworm Imminent Monitor, Remcos, Revenge and WSHRat.
Renals said the shift from information stealers to Rats indicated the group’s growing technical abilities, coupled with such tools’ growing effectiveness. He said he expected the trend to continue in 2020.
Unit 42 found that SilverTerrier was largely indiscriminate in its targeting, with all industry segments at risk, although high tech, and professional and legal services were the most frequently hit.
The researchers have also been more easily able to attribute specific activities to individuals operating within SilverTerrier than can usually be done with other advanced persistent threat (APT) groups.
Renals zeroed in on a specific individual, Actor X, one of the most active members of the group, is known to hold an undergraduate degree from the Owerri Federal University of Technology in southeast Nigeria, and served in Nigeria’s National Youth Service Corps in Nigeria. Now in his 40s, he is married with three children and still lives in Owerri, where he poses as a legitimate businessman and IT consultant.
Actor X maintains active social media accounts and contacts and friends include prominent figures in his community, including some working in law enforcement.
He has registered over 480 domains through over 90 email accounts, both to support other criminals and his own activities, and has produced over 4,000 malware samples used over 363,000 times against Palo Alto customers. Unit 42 said his technical skills have rapidly improved over time.
“Combining all of these characteristics empowers a refined understanding of the threat targeting our customers,” said Renals. “Specifically, the adversary is a person, not a vulnerability or piece of software, who has a technical college education, has put in the time to develop a web of online aliases required for his campaigns, and is following a strategy of deploying malware indiscriminately, and at scale, with the motivation of generating the income necessary to support his family.”
He said that as 2020 wears on, the most prominent threat facing organisations will be commodity malware deployed in support of sophisticated BEC schemes, as evidenced by the emergence of the first Nigerian commodity tool developer and growing adoption of Rats among SilverTerrior actors.
“As a result we strongly encourage network defence teams across all industry verticals to take note of these trends and ensure staff receive the training necessary to identify and eradicate the most popular tools employed by this threat group,” said Renals.
More details on Unit 42’s research, including further statistics on its use of information stealers and Rats, details of what may be Nigeria’s first active malware developer, and indicators of compromise (IoCs), can be read here.