Nigerian cybercriminals are evolving their tactics and targeting enterprises, according to researchers at Palo Alto Networks.
During the past three months, researchers at Palo Alto Networks have identified a series of attacks believed to be coming from Nigerian cybercriminals that are targeting customers in Taiwan and South Korea. In the past, the individuals behind the attacks have been focused on what are known as 419 scams, which typically involve a person receiving an email that claims to offer them a large amount of money in exchange for paying the scammer a smaller amount upfront.
The firm has codenamed the attacks ‘Silver Spaniel.’ According to Palo Alto Networks, the attacks have used commodity tools that can be purchased in the cyber-underground for small fees and deployed by anyone with a laptop and an email addresses. Two tools in particular have been used in multiple attacks – NetWire, which gives the attacker complete control over a Windows, Mac OS X or Linux system, and a second tool known as DataScrambler that masks the file from detection by antivirus engines.
“Despite the effectiveness of these tools, some of these actors showed remarkably poor operational security that revealed their infrastructure and real world identities,” Palo Alto Networks noted in a paper. “The group is comprised of individuals who have previously operated 419 scams, which rely on tricking wealthy individuals into giving their wealth to the scammer.”
“These individuals are often experts at social engineering, but novices with malware,” the report continues. “In the past three years they have begun launching more attacks using malware and learning new tactics on Internet hacking forums.”
While in the past the main target of Nigerian scammers is wealthy victims, the Silver Spaniel attacks so far in 2014 have focused on businesses. Palo Alto Networks did not have information on how the attackers are selecting their targets. The majority of the attacks however are against companies in Taiwan and South Korea.
“Silver Spaniel actors’ objective appears to be stealing passwords and other data they can use to further compromise their victim,” according to the report. “Thus far we have not observed any secondary payloads installed or any lateral movement between systems, but cannot rule out this activity.”
The attacks share multiple common features for command and control activity. The attackers configure each RAT (remote access tool) to connect to a dynamic DNS domain obtained from NoIP.com, such as living2013mh.no-ip.biz. The attackers use a VPN service provided by NVPN.net, which routes their traffic through a different IP address than the one provided by their ISP, according to the report.
In addition to NetWire, other attacks have also used the DarkComet RAT.
“These Silver Spaniel malware activities originate in Nigeria and employ tactics, techniques and procedures similar to one another,” said Ryan Olson, intelligence director for Palo Alto Networks’ Unit 42 team, in a statement. “The actors don’t show a high level of technical acumen, but represent a growing threat to businesses that have not previously been their primary targets.”