Security Experts:

Connect with us

Hi, what are you looking for?



Nigerian Threat Actors Specializing in BEC Attacks Continue to Evolve

The Nigerian business email compromise (BEC) threat actors referred to as SilverTerrier have intensified assaults on multiple industries and should be considered an established threat, Palo Alto Networks says.

The Nigerian business email compromise (BEC) threat actors referred to as SilverTerrier have intensified assaults on multiple industries and should be considered an established threat, Palo Alto Networks says.

In February, the FBI’s Internet Crime Complaint Center (IC3) revealed that reported BEC and email account compromise (EAC) losses topped $1.7 billion, up from $1.3 billion in 2018.

The Nigerian cybercrime groups operating under the SilverTerrier umbrella have contributed greatly to this growth, it seems. These cybercriminals are responsible for collectively producing more than 81,300 samples of malware linked to 2.1 million attacks, Palo Alto Networks says. Combined, they registered more than 23,300 fraudulent and malicious domains.

SilverTerrier attacks were linked to roughly 400 individual threat actors in 2018, but that number jumped to 480 in 2019. Since 2014, when it included only a few individuals experimenting with commodity malware, SilverTerrier has evolved into a mature, established threat.

The number of BEC attacks Palo Alto Networks observed last year averaged at 92,739 assaults per month, representing a 172% increase from 2018, when the average was 34,039 incidents per month. June 2019 was the peak month, with 245,637 attacks.

The high-tech industry was hit the most, reaching 313,000 attacks in 2019, nearly double compared to the previous year. The professional and legal services industry ended up in second position with approximately 248,000 attacks, marking a 1163% increase from 2018.

SilverTerrier actors are indiscriminate in their attacks, with manufacturing (roughly 145,000 attacks in 2019), education (around 143,000 attacks), and wholesale and retail industry (107,000 attacks) rounding up the top five.

Most of the attacks (97.8%) leveraged email protocols to reach target networks, with SMTP traffic accounting for 69% of attacks observed in 2019, and POP3 and IMAP accounting for 26% and 2.8% of attacks, respectively. Only 1.9% of attacks were delivered via web browsing and 0.3% via FTP.

In 2019, Palo Alto Networks identified 27,310 samples of SilverTerrier malware, most of which were commodity malware tools. At the time of discovery, these samples had an average detection rate of 57.3% across all vendors on VirusTotal.

Over the past five years, the security firm has identified over 10 different commodity information stealer families employed by SilverTerrier actors, with more effective tools being adopted over older ones. While the use of Atmos, Keybase, ISpySoftware, ISR Stealer, and Zeus dropped to negligible levels, AgentTesla, AzoRult, Lokibot, Pony, and PredatorPain remained in active use.

Since 2014, the threat actors have employed 13 RAT families, with LuminosityLink, NJRat, Quasar, and WarZone dropping in popularity over time, but Netwire, DarkComet, NanoCore, Remcos, ImminentMonitor, Adwind, Hworm, Revenge, and WSHRat still actively used.

Overall, the use of information stealers has been declining over the past couple of years, but the use of RATs shows growth, which Palo Alto Networks says is an indication of growing technical skills, in addition to revealing the effectiveness of these tools in helping the threat actors perform fraud.

“Further, we anticipate that this growth trend will continue throughout 2020, as we see increasing numbers of actors adopting these tools,” the security firm says.

Related: Nigerian Cybercrime ‘Group’ Has 400 Malicious Actors

Related: BEC Losses Surpassed $1.7 Billion in 2019: FBI

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.