SilverTerrier is not a traditional cybercrime group. It is the collective name Unit 42 of Palo Alto Networks gives to Nigerian cybercriminals. SilverTerrier continues to grow (over 400 individual actors) and evolve (from advance fee and 419 scams to business email compromise (BEC) and malware distribution).
The latest Internet Crime Report, published in April by the FBI’s Internet Crime Complaint Center (IC3), indicates that 20,373 victims reported BEC losses of $1.298 billion to 65,116 victims. While this crime is global in both perpetrator and victim, the FBI’s worldwide Operation WireWire during the first half of 2018 led to 74 BEC-related arrests. Of these, 42 were in the U.S. (a figure that includes mule arrests), and 29 in Nigeria. The next highest figure was three, in each of Canada, Mauritius and Poland.
Unit 42 believes 2018 marks a potential turning point in the fight against BEC. “Where cyber actors previously acted with impunity,” it says, “law enforcement has now demonstrated the resolve to coordinate with foreign partners in pursuit of these crimes.” But while the BEC threat is being tackled, there is still a growing SilverTerrier threat, with a 58% increase in cyber-attacks through 2018.
Unit 42 is Palo Alto’s networks threat intelligence team — so named because ’42’ is Douglas Adams’ answer to “the ultimate question of life, the universe and everything.”
In recent years, Nigerian hackers have added malware distribution to their historical concentration on email scams. They are not yet counted among malware developers, but have adopted the use of commodity malware tools that they obfuscate with a variety of ‘crypters’. As a result, the new samples of old malware still defeat the majority of signature detections.
Unit 42 believes the majority of malware used by Nigerian hackers comprises either information stealers or remote administration tools (RATs). Looking at the top ten stealers, an average of 1,000 unique samples appeared each month during 2018. This is lower than previous years (a 26% decline from 2017), and Unit 42 believes that the use of information stealers has plateaued and is now in decline — possibly caused by a declining availability of tools, increased law enforcement efforts, and improved cybersecurity.
But while SilverTerrier seems to be reducing its use of information stealers, the use of RATs is expanding. It is still less in absolute terms than the use of stealers, but the trajectory is up while the stealers’ trajectory is down. There was an average of 533 samples per month from the top ten RATs used by the Nigerian hackers in 2018 — an increase of 36% over 2017.
RATs provide an increase in functionality over stealers. They, says Unit 42, “allow SilverTerrier actors to modify systems, access network resources, and perform functions on behalf of compromised users. This functionality is commonly leveraged to send malicious or fraudulent emails and access databases within victim organizations in hopes of monetizing their efforts.” RATs and BEC would seem to be a combination for SilverTerrier.
The most popular RAT in use was NanoCore. It’s author, Taylor Huddleston, was arrested in February 2017, and sentenced to 33 months in prison in February 2018. A cracked version of his RAT, however, remains available for download from various internet forums. Unit 42 found an average of 150 SilverTerrier NanoCore samples per month during 2018.
The Houdini worm (HWorm) is also popular, with an average of 70 samples found per month. HWorm was created in 2013, but was widely posted to internet paste sites in 2017. From there it seems to have found its way to Nigeria, first occurring in 2018.
The apparent move from stealers to RATs may indicate improving technical capability within SilverTerrier. The interactive nature of RATS, comments Unit 42, “demands steady connections to control servers that are often running on high number ephemeral ports. In order to protect the control servers, actors frequently rely on dynamic DNS and virtual servers rather than static domain registrations. This technique affords actors a layer of obfuscation making attribution more difficult while also extending the useable life of a malware sample.”
Financial fraud may still be the mainstay of Nigerian cybercrime, but the criminals have evolved from email-delivered Nigerian Prince scams, to sophisticated RAT-supported BEC. While the actors may not have the technical expertise of east European cybercriminals, this isn’t necessary. The use of commodity malware disguised by crypters lies behind a continuing and growing threat.