The Nigerian business email compromise (BEC) threat actors referred to as SilverTerrier have intensified assaults on multiple industries and should be considered an established threat, Palo Alto Networks says.
In February, the FBI’s Internet Crime Complaint Center (IC3) revealed that reported BEC and email account compromise (EAC) losses topped $1.7 billion, up from $1.3 billion in 2018.
The Nigerian cybercrime groups operating under the SilverTerrier umbrella have contributed greatly to this growth, it seems. These cybercriminals are responsible for collectively producing more than 81,300 samples of malware linked to 2.1 million attacks, Palo Alto Networks says. Combined, they registered more than 23,300 fraudulent and malicious domains.
SilverTerrier attacks were linked to roughly 400 individual threat actors in 2018, but that number jumped to 480 in 2019. Since 2014, when it included only a few individuals experimenting with commodity malware, SilverTerrier has evolved into a mature, established threat.
The number of BEC attacks Palo Alto Networks observed last year averaged at 92,739 assaults per month, representing a 172% increase from 2018, when the average was 34,039 incidents per month. June 2019 was the peak month, with 245,637 attacks.
The high-tech industry was hit the most, reaching 313,000 attacks in 2019, nearly double compared to the previous year. The professional and legal services industry ended up in second position with approximately 248,000 attacks, marking a 1163% increase from 2018.
SilverTerrier actors are indiscriminate in their attacks, with manufacturing (roughly 145,000 attacks in 2019), education (around 143,000 attacks), and wholesale and retail industry (107,000 attacks) rounding up the top five.
Most of the attacks (97.8%) leveraged email protocols to reach target networks, with SMTP traffic accounting for 69% of attacks observed in 2019, and POP3 and IMAP accounting for 26% and 2.8% of attacks, respectively. Only 1.9% of attacks were delivered via web browsing and 0.3% via FTP.
In 2019, Palo Alto Networks identified 27,310 samples of SilverTerrier malware, most of which were commodity malware tools. At the time of discovery, these samples had an average detection rate of 57.3% across all vendors on VirusTotal.
Over the past five years, the security firm has identified over 10 different commodity information stealer families employed by SilverTerrier actors, with more effective tools being adopted over older ones. While the use of Atmos, Keybase, ISpySoftware, ISR Stealer, and Zeus dropped to negligible levels, AgentTesla, AzoRult, Lokibot, Pony, and PredatorPain remained in active use.
Since 2014, the threat actors have employed 13 RAT families, with LuminosityLink, NJRat, Quasar, and WarZone dropping in popularity over time, but Netwire, DarkComet, NanoCore, Remcos, ImminentMonitor, Adwind, Hworm, Revenge, and WSHRat still actively used.
Overall, the use of information stealers has been declining over the past couple of years, but the use of RATs shows growth, which Palo Alto Networks says is an indication of growing technical skills, in addition to revealing the effectiveness of these tools in helping the threat actors perform fraud.
“Further, we anticipate that this growth trend will continue throughout 2020, as we see increasing numbers of actors adopting these tools,” the security firm says.
Related: Nigerian Cybercrime ‘Group’ Has 400 Malicious Actors