More than 480 “indiscriminate” Nigerian malware groups have ramped up their use of business email compromise (BEC) to target Western countries with up to 245,000 monthly attacks on the customers of one security vendor alone.
The escalation of attacks represented a sort of maturity for a consortium of cybercriminals that started out as novices in 2014, security researchers at Palo Alto Networks (PAN)’s Unit42 threat-intelligence said in collectively christening the group as SilverTerrier.
“In five years, SilverTerrier actors have evolved from being novice threat adversaries to mature cybercriminals,” the researchers said, noting that the cybercriminals “remain indiscriminate in their targeting” of all industry segments.
In analysing the logs produced by PAN customers’ systems, Unit 42 researchers have identified more than 81,300 malware samples that they attribute to over 2.1m attacks – including a near-doubling of attacks on high-tech industry targets, which were targeted 313,000 times last year.
The attacks also included an escalating surge of BEC attacks, which rely on social manipulation to trick victims into depositing company money into the cybercriminals’ accounts.
Professional and legal services providers were the second most-frequently attacked industry, with BEC attacks jumping by an “alarming” 1163 per cent from 2018 to 2019.
The extent of SilverTerrier actors’ shift towards professional and legal services targets “demonstrates a significant shift in targeting practices”, PAN said.
Manufacturing, education, and wholesale and retail industries rounded out the group’s top five malware targets.
Joining the global race
Nigerian malware authors were initially known for using the technology to advance ‘419 scams’ – also known as Nigerian scams – that seek to extort money from victims around the world.
Such scams are still in operation: Scamwatch figures confirm that 661 Australians reported losing nearly $1.1m to Nigerian scammers last year alone.
Yet the rapid escalation of SilverTerrier’s attack volumes and sophistication has now led PAN analysts to conclude that the malware authors “have evolved to a point where they are demonstrating signs of maturity consistent with established threat groups in their delivery techniques, malware packaging, and technical abilities.”
Graduating to the big-time puts SilverTerrier in the company of a range of malicious groups that have been singled out for what CrowdStrike CEO and co-founder George Kurtz called “relentless and sophisticated” campaigns comprising “sustained operations targeting the underpinnings of our society”.
“Of concern here is the widening variety of goals these highly capable adversaries may seek to achieve,” Kurz noted in introducing the firm’s recent Global Threat Report 2020.
“Along with the more traditional objectives of espionage and surveillance have been added new tasks, such as sowing widespread disruption and discord among individuals, institutions and even whole countries and populations, all in pursuit of political and economic gains.”
SilverTerrier’s emerging role in this disruption puts it in the company of international cybercriminal groups that CrowdStrike researchers have tracked by country of origin using animal names like Russia-based PRIMITIVE BEAR, Iran-based IMPERIAL KITTEN, North Korean groups VELVET CHOLLIMA and LABYRINTH CHOLLIMA, and animal-themed groups from countries including China (Panda), Pakistan (Leopard), Vietnam (Buffalo), and India (Leopard/Tiger).
The designation Spider is also used, for non country-specific criminal groups like Dridex authors INDRIK SPIDER and the WIZARD SPIDER team responsible for the TrickBot banking Trojan that has, among other things, contributed to devastating attacks assisted by the persistent Emotet email malware.
As its hundreds of member teams expand their use of malware from information-stealers to more sophisticated remote access Trojans (RATs), Nigeria’s SilverTerrier joins the ranks of the global malware animal kingdom with the winds of the COVID-19 pandemic at its back.
More than 80 per cent of current malware threats are related to the current coronavirus outbreak, according to a recent analysis by email-security firm Proofpoint.
Yet even as its malware authors continue to mature, a recent analysis by security firm Fortinet urged security practitioners to note that Nigeria “gets spammed just about as much as it spams others.... Stereotypes thrive in ignorance, so let’s hope this data overcomes that ignorance.”