Security Experts:

Connect with us

Hi, what are you looking for?



Nigerian Cybercrime ‘Group’ Has 400 Malicious Actors

SilverTerrier is not a traditional cybercrime group. It is the collective name Unit 42 of Palo Alto Networks gives to Nigerian cybercriminals. SilverTerrier continues to grow (over 400 individual actors) and evolve (from advance fee and 419 scams to business email compromise (BEC) and malware distribution).

SilverTerrier is not a traditional cybercrime group. It is the collective name Unit 42 of Palo Alto Networks gives to Nigerian cybercriminals. SilverTerrier continues to grow (over 400 individual actors) and evolve (from advance fee and 419 scams to business email compromise (BEC) and malware distribution).

The latest Internet Crime Report, published in April by the FBI’s Internet Crime Complaint Center (IC3), indicates that 20,373 victims reported BEC losses of $1.298 billion to 65,116 victims. While this crime is global in both perpetrator and victim, the FBI’s worldwide Operation WireWire during the first half of 2018 led to 74 BEC-related arrests. Of these, 42 were in the U.S. (a figure that includes mule arrests), and 29 in Nigeria. The next highest figure was three, in each of Canada, Mauritius and Poland.

Unit 42 believes 2018 marks a potential turning point in the fight against BEC. “Where cyber actors previously acted with impunity,” it says, “law enforcement has now demonstrated the resolve to coordinate with foreign partners in pursuit of these crimes.” But while the BEC threat is being tackled, there is still a growing SilverTerrier threat, with a 58% increase in cyber-attacks through 2018.

Unit 42 is Palo Alto’s networks threat intelligence team — so named because ’42’ is Douglas Adams’ answer to “the ultimate question of life, the universe and everything.”

In recent years, Nigerian hackers have added malware distribution to their historical concentration on email scams. They are not yet counted among malware developers, but have adopted the use of commodity malware tools that they obfuscate with a variety of ‘crypters’. As a result, the new samples of old malware still defeat the majority of signature detections.

Unit 42 believes the majority of malware used by Nigerian hackers comprises either information stealers or remote administration tools (RATs). Looking at the top ten stealers, an average of 1,000 unique samples appeared each month during 2018. This is lower than previous years (a 26% decline from 2017), and Unit 42 believes that the use of information stealers has plateaued and is now in decline — possibly caused by a declining availability of tools, increased law enforcement efforts, and improved cybersecurity.

But while SilverTerrier seems to be reducing its use of information stealers, the use of RATs is expanding. It is still less in absolute terms than the use of stealers, but the trajectory is up while the stealers’ trajectory is down. There was an average of 533 samples per month from the top ten RATs used by the Nigerian hackers in 2018 — an increase of 36% over 2017.

RATs provide an increase in functionality over stealers. They, says Unit 42, “allow SilverTerrier actors to modify systems, access network resources, and perform functions on behalf of compromised users. This functionality is commonly leveraged to send malicious or fraudulent emails and access databases within victim organizations in hopes of monetizing their efforts.” RATs and BEC would seem to be a combination for SilverTerrier.

The most popular RAT in use was NanoCore. It’s author, Taylor Huddleston, was arrested in February 2017, and sentenced to 33 months in prison in February 2018. A cracked version of his RAT, however, remains available for download from various internet forums. Unit 42 found an average of 150 SilverTerrier NanoCore samples per month during 2018.

The Houdini worm (HWorm) is also popular, with an average of 70 samples found per month. HWorm was created in 2013, but was widely posted to internet paste sites in 2017. From there it seems to have found its way to Nigeria, first occurring in 2018. 

The apparent move from stealers to RATs may indicate improving technical capability within SilverTerrier. The interactive nature of RATS, comments Unit 42, “demands steady connections to control servers that are often running on high number ephemeral ports. In order to protect the control servers, actors frequently rely on dynamic DNS and virtual servers rather than static domain registrations. This technique affords actors a layer of obfuscation making attribution more difficult while also extending the useable life of a malware sample.”

Financial fraud may still be the mainstay of Nigerian cybercrime, but the criminals have evolved from email-delivered Nigerian Prince scams, to sophisticated RAT-supported BEC. While the actors may not have the technical expertise of east European cybercriminals, this isn’t necessary. The use of commodity malware disguised by crypters lies behind a continuing and growing threat.

Related: Agari Employs Active Defense to Probe Nigerian Email Scammers 

Related: Nigerian Hackers Attempt to Steal Millions From Shipping Firms 

Related: Nigerian Man Found Guilty on Charges Related to Hacking 

Related: Nigerian Sentenced to Prison in U.S. for BEC Scams 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.