Nigerian cyber adversaries are using multiple commodity malware tools to modernise their operations, the latest report by Palo Alto Networks’ security division reveals.
This shift represents a significant evolution from the traditional 419-style email scams, according to the report by company’s Unit 42 security researchers.
The adoption of malware by these email scam groups began in 2014, and has now evolved to a point where the groups are using commodity malware for financial gain.
In the past two years, the number of actors or groups has trebled to more than 300 and the number of popular commodity malware tool families they are using to deliver thousands of attacks globally every month has also trebled, to 15, according to the report, SilverTerrier: The next evolution in Nigerial cyber crime.
Unit 42 continues to track these groups under the code name SilverTerrier, and has discovered in the past year that these actors have conducted an average of 17,600 attacks a month – a 45% increase from 2016.
While simple commodity information stealers remain the most popular and widely deployed tools, the report said there has been notable growth in the adoption of more complex remote administration tools (RATs).
Despite continued increases in both attacks and malware production, the researchers found the number of active threat actors during any given month has begun to stabilise, suggesting improvements in efficiency and increased organisation.
The researchers found that the social connections between these actors have become more robust and complex through using social media platforms to promote their networking efforts.
Nigerian cyber actors will continue to expand their attacks in size, scope and capabilities, the report said, adding that according to law enforcement organisations, the exposed losses to businesses worldwide from these threat actors are now estimated to be more than $3bn.
The researchers said the report aimed to outline techniques to enable large-scale attribution efforts to combat this threat and demonstrate a repeatable and sustainable process to identify SilverTerrier infrastructure and put preventive measures in place.
Key findings of the report include the fact that the so-called SilverTerrier actors are mostly mature adults, not children or teenagers. They are typically aged between 20 and 40, with the vast majority estimated to be in their 30s.
Information-stealing malware families remain common, with SilverTerrier actors producing an average of 840 samples a month – a 17% year-on-year increase – with Agent Tesla, LokiBot and Pony the most popular tools in the category, the report said.
SilverTerrier actors have begun to incorporate RATs into their criminal activities at a significant rate, the report said. The data shows that these actors can produce an average rate of 146 samples a month, which is a 49% increase on previous years, with the three most popular tools being DarkComet, NetWire and NanoCore.
Nigerian cyber actors remain a formidable threat to businesses worldwide, the report said, pointing out that there is “tremendous value” to be gained from conducting advanced automated analysis of cyber criminals employing commodity malware.