Phishing alert: Hacking gang turns to new tactics in malware campaign

Security company warns 'SilverTerrier' group poses a threat to businesses.
Written by Danny Palmer, Senior Writer

Off-the-shelf malware kits and mass phishing campaigns are enabling a small group of Nigerian cybercriminals to conduct hacking campaigns against targets around the world - and the threat they pose to organisations is increasing.

The group, dubbed SilverTerrier, isn't a sophisticated operation, but has access to a number of malware families - including information stealers and remote-access trojans - which are distributed with the aim of infecting victims and stealing data.

Researchers at Palo Alto Networks have been tracking SilverTerrier and have attributed 181,000 attacks, using 15 families of malware, to the group in the last year. Over the past 12 months, the group has fired off an average of 17,600 spam emails a month, representing a 45 percent increase from 2016.

"Sending malicious emails does not require a significant amount of resources, but monetizing these infections requires time and attention from the actors," Ryan Olson, intelligence director of Unit 42 at Palo Alto Networks told ZDNet.

"The tactics and tools used by SilverTerrier are not on the cutting edge, but these attackers are very opportunistic. Businesses who think they may not be the target of more sophisticated actors and do not take precautions to secure their users and their data are prime targets for these attackers," said Olson.

Common themes used in the distribution of the phishing emails focus on subjects many organisations find themselves dealing with on a regular basis, such as fake shipping notifications, invoices, requests for quotes and purchase orders.

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

The thinking behind these tactics is that as users commonly see these types of emails and attachments, they'll go ahead and open documents.

While the malware delivered has changed over the year depending on popularity and availability, information stealers, designed to steal usernames, passwords and other valuable credentials, are commonly used in attacks.

What's appealing about these tactics for SilverTerrier is that they're widely available on dark web and underground forums and the out-of-the-box nature of many of the malware kits means they're easy to distribute.

The type of information stealer distributed has regularly changed over the years, but the likes of Lokibot, Zeus, Atmos and Pony malware have all been distributed in the campaigns, with the latter particularly popular.

While the use of information stealers is on the up -- researchers note there's been a 17 percent increase in SilverTerrier using these attacks during the past year -- the group also appears to be trying out new attack techniques, such as the use of RATs, which have increased in distribution by almost 50 percent in the last 12 months.

NetWire, DarkComet, NanoCore, LuminosityLink, Remcos and Imminent Monitor have all been distributed by SilverTerrier operatives, with many of these tools able to capture keystrokes, monitor webcams and provide remote-desktop access - all capabilities which could provide the attackers with vast swathes of information.

These tools are still off-the-shelf, but represent a step forward for the group - which is likely to continue to advance its attacks.

See also: Cyberwar: A guide to the frightening future of online conflict

SilverTerrier is opportunistic and conducts attacks against whoever it can, but organisations in the technology and higher education sectors appear to be the top two targets. Both of these industries provide information and intellectual property that any cybercriminal group would find useful, be it for profit or for espionage.

But in the case of SilverTerrier, it appears that profit is the key driver for the group, which consists of around a hundred active members. There are those in the group who pursue cyber crime as a full-time activity, but many view it as a means to supplement their legitimate income.

"Unless there is a significant change in the landscape, these actors will continue to learn and grow. This means we'll see more advanced tools and better techniques for compromising victims," said Olson.


Editorial standards