SilverTerrier

SilverTerrier is the codename used by researchers and law enforcement for a Nigerian-based cybercrime syndicate and broader ecosystem involved primarily in business email compromise (BEC) fraud. Palo Alto Networks Unit 42 tracks Nigerian BEC actors under this name, and reporting in the content describes SilverTerrier as a collective label for more than 400 unique actors or groups. The group or ecosystem has been accused of targeting thousands of organizations worldwide and harming thousands of companies globally through BEC scams. The content describes SilverTerrier as a financially motivated threat actor cluster originating from Nigeria, including references from INTERPOL’s Global Financial Crime Taskforce and Nigerian law enforcement. Law enforcement actions tied to SilverTerrier include Operation Falcon II, in which 11 alleged members of a cybercrime network believed to be tied to SilverTerrier were arrested in Nigeria, and a later May 2022 arrest of a 37-year-old Nigerian man suspected to be the leader of a SilverTerrier-linked BEC group. SilverTerrier activity is centered on BEC, including monitoring business conversations and diverting funds when transactions are about to occur. The content states that Unit 42 observed roughly 1.1 million SilverTerrier attacks over four years, with a monthly average of 28,227 attacks in one reporting period, and later reporting cited monthly BEC attack volume rising to 245,637 in 2019. Targeted sectors mentioned in the content include high-tech, wholesale, and manufacturing. The content also states that SilverTerrier commonly augments BEC with malware to steal data and improve targeting. Information stealers were described as the preferred malware type, with a later shift toward remote access trojans. Malware families explicitly associated with SilverTerrier in the content include AgentTesla, Atmos, AzoRult, ISpySoftware, ISR Stealer, KeyBase, LokiBot, Pony, PredatorPain, Zeus, NetWire, DarkComet, NanoCore, LuminosityLink, Remcos, ImminentMonitor, njRAT, Quasar, Adwind, and Hworm. NanoCore is specifically described as the RAT of choice for SilverTerrier, and the content also notes SilverTerrier use of njRAT. Nigerian actors in this ecosystem used crypters to encrypt, obfuscate, and modify malware to evade antivirus detection. A campaign linked behaviorally to the SilverTerrier ecosystem involved Remcos RAT delivered through Thai-language phishing emails themed as financial payment slips. That activity used a WinRAR self-extracting archive with deceptive double extensions such as .pdf.scr, a Visual Basic script that temporarily disrupted connectivity using ipconfig to hinder online detection, a renamed AutoIt3 interpreter for decryption, RC4-decrypted Remcos configuration data, and dynamic DNS command-and-control infrastructure. Investigators tracked that operational cluster as BlackToad and linked it to elements of the SilverTerrier ecosystem; recent telemetry also connected it to the BoredFluff campaign. For command and control, the content explicitly states that SilverTerrier uses HTTP for C2 communications. ATT&CK-style annotations in the content also associate SilverTerrier with web protocols, mail protocols, and remote access tools. Known aliases and related names directly mentioned in the content include SilverTerrier, BlackToad, and BoredFluff, with SilverTerrier described as an ecosystem or collective name rather than a single tightly bounded group.