SilverTerrier

SilverTerrier is the codename used by researchers and law enforcement for a Nigerian-based cybercrime syndicate and broader ecosystem involved in business email compromise (BEC) fraud. The content describes SilverTerrier as a collective name for multiple Nigerian groups or actors, with reporting citing more than 400 unique actors or groups, and identifies it as originating from Nigeria. Palo Alto Networks Unit 42 is cited as tracking Nigerian BEC actors under this codename since 2014. SilverTerrier has been accused of targeting thousands of organizations worldwide and harming thousands of companies globally through BEC scams. The group’s activity centers on BEC, including monitoring business communications and diverting funds when transactions are about to occur. Reported targeting includes organizations worldwide, with sectors such as high-tech, wholesale, and manufacturing specifically noted in Unit 42 reporting. The content also describes COVID-19-themed scam activity, including fake PPE orders, shipping-delay notices, and vaccine-related messages carrying malware. SilverTerrier is repeatedly associated with malware-assisted BEC operations. The content states that the group used information stealers and increasingly remote access trojans to improve targeting and fraud success. Malware families explicitly linked to SilverTerrier in the content include NanoCore, njRAT, NetWire, DarkComet, LuminosityLink, Remcos, ImminentMonitor, Quasar, Adwind, Hworm, AgentTesla, Atmos, AzoRult, ISpySoftware, ISR Stealer, KeyBase, LokiBot, Pony, PredatorPain, and Zeus. NanoCore is described as the RAT of choice for SilverTerrier and as the most frequently seen RAT in 2018. The group also used crypters to encrypt, obfuscate, and modify malware to evade antivirus detection. Tactics and techniques directly mentioned in the content include use of HTTP for command-and-control communications, use of mail protocols/FTP in detections and ATT&CK annotations, and use of remote access tools. One campaign behaviorally linked to elements of the SilverTerrier ecosystem involved Thai-language phishing lures themed as payment slips, a WinRAR self-extracting archive using a deceptive .pdf.scr double extension, a Visual Basic script that temporarily disrupted connectivity via ipconfig, a renamed AutoIt3 interpreter, RC4-decrypted Remcos configuration data, and dynamic DNS-backed command-and-control infrastructure. That campaign was tracked as BlackToad and linked behaviorally to the SilverTerrier ecosystem rather than directly attributed as SilverTerrier itself. Law enforcement reporting in the content ties SilverTerrier to multiple arrests in Nigeria. INTERPOL and the Nigerian Police Force arrested 11 alleged members of a cybercrime network in Operation Falcon II, with many suspects believed to be members of SilverTerrier. Preliminary analysis linked the suspects’ collective BEC activity to more than 50,000 targets; one suspect possessed more than 800,000 potential victim domain credentials, and another allegedly monitored conversations between 16 companies and their clients to divert funds to the gang. The content also states that in May 2022 INTERPOL announced the arrest of a 37-year-old Nigerian man regarded as the leader of the syndicate during Operation Delilah. Known aliases and related names directly mentioned in the content include only SilverTerrier. Related clusters or campaigns mentioned as linked to the ecosystem, but not stated as aliases, include BlackToad and BoredFluff.