Connect with us

Hi, what are you looking for?



Nigerian Threat Actors Specializing in BEC Attacks Continue to Evolve

The Nigerian business email compromise (BEC) threat actors referred to as SilverTerrier have intensified assaults on multiple industries and should be considered an established threat, Palo Alto Networks says.

The Nigerian business email compromise (BEC) threat actors referred to as SilverTerrier have intensified assaults on multiple industries and should be considered an established threat, Palo Alto Networks says.

In February, the FBI’s Internet Crime Complaint Center (IC3) revealed that reported BEC and email account compromise (EAC) losses topped $1.7 billion, up from $1.3 billion in 2018.

The Nigerian cybercrime groups operating under the SilverTerrier umbrella have contributed greatly to this growth, it seems. These cybercriminals are responsible for collectively producing more than 81,300 samples of malware linked to 2.1 million attacks, Palo Alto Networks says. Combined, they registered more than 23,300 fraudulent and malicious domains.

SilverTerrier attacks were linked to roughly 400 individual threat actors in 2018, but that number jumped to 480 in 2019. Since 2014, when it included only a few individuals experimenting with commodity malware, SilverTerrier has evolved into a mature, established threat.

The number of BEC attacks Palo Alto Networks observed last year averaged at 92,739 assaults per month, representing a 172% increase from 2018, when the average was 34,039 incidents per month. June 2019 was the peak month, with 245,637 attacks.

The high-tech industry was hit the most, reaching 313,000 attacks in 2019, nearly double compared to the previous year. The professional and legal services industry ended up in second position with approximately 248,000 attacks, marking a 1163% increase from 2018.

SilverTerrier actors are indiscriminate in their attacks, with manufacturing (roughly 145,000 attacks in 2019), education (around 143,000 attacks), and wholesale and retail industry (107,000 attacks) rounding up the top five.

Most of the attacks (97.8%) leveraged email protocols to reach target networks, with SMTP traffic accounting for 69% of attacks observed in 2019, and POP3 and IMAP accounting for 26% and 2.8% of attacks, respectively. Only 1.9% of attacks were delivered via web browsing and 0.3% via FTP.

Advertisement. Scroll to continue reading.

In 2019, Palo Alto Networks identified 27,310 samples of SilverTerrier malware, most of which were commodity malware tools. At the time of discovery, these samples had an average detection rate of 57.3% across all vendors on VirusTotal.

Over the past five years, the security firm has identified over 10 different commodity information stealer families employed by SilverTerrier actors, with more effective tools being adopted over older ones. While the use of Atmos, Keybase, ISpySoftware, ISR Stealer, and Zeus dropped to negligible levels, AgentTesla, AzoRult, Lokibot, Pony, and PredatorPain remained in active use.

Since 2014, the threat actors have employed 13 RAT families, with LuminosityLink, NJRat, Quasar, and WarZone dropping in popularity over time, but Netwire, DarkComet, NanoCore, Remcos, ImminentMonitor, Adwind, Hworm, Revenge, and WSHRat still actively used.

Overall, the use of information stealers has been declining over the past couple of years, but the use of RATs shows growth, which Palo Alto Networks says is an indication of growing technical skills, in addition to revealing the effectiveness of these tools in helping the threat actors perform fraud.

“Further, we anticipate that this growth trend will continue throughout 2020, as we see increasing numbers of actors adopting these tools,” the security firm says.

Related: Nigerian Cybercrime ‘Group’ Has 400 Malicious Actors

Related: BEC Losses Surpassed $1.7 Billion in 2019: FBI

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.