SilverTerrier

SilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier mainly targets organizations in high technology, higher education, and manufacturing.^[1]^[2]

ID: G0083

Version: 1.1

Created: 29 January 2019

Last Modified: 19 May 2020

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	SilverTerrier uses HTTP for C2 communications.^[1]
		.002	Application Layer Protocol: File Transfer Protocols	SilverTerrier uses FTP for C2 communications.^[1]
		.003	Application Layer Protocol: Mail Protocols	SilverTerrier uses SMTP for C2 communications.^[1]

Software

ID	Name	References	Techniques
S0331	Agent Tesla	^[1]	Account Discovery: Local Account, Application Layer Protocol: Mail Protocols, Application Layer Protocol: Web Protocols, Archive Collected Data, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Session Hijacking, Clipboard Data, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Deobfuscate/Decode Files or Information, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Exploitation for Client Execution, Hide Artifacts: Hidden Files and Directories, Hide Artifacts: Hidden Window, Impair Defenses: Disable or Modify Tools, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Phishing: Spearphishing Attachment, Process Discovery, Process Injection, Process Injection: Process Hollowing, Scheduled Task/Job: Scheduled Task, Screen Capture, System Binary Proxy Execution: Regsvcs/Regasm, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery, Unsecured Credentials: Credentials in Registry, Unsecured Credentials: Credentials In Files, User Execution: Malicious File, Video Capture, Virtualization/Sandbox Evasion, Windows Management Instrumentation
S0334	DarkComet	^[1]	Application Layer Protocol: Web Protocols, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Clipboard Data, Command and Scripting Interpreter, Command and Scripting Interpreter: Windows Command Shell, Impair Defenses: Disable or Modify Tools, Impair Defenses: Disable or Modify System Firewall, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Match Legitimate Name or Location, Modify Registry, Obfuscated Files or Information: Software Packing, Process Discovery, Remote Services: Remote Desktop Protocol, System Information Discovery, System Owner/User Discovery, Video Capture
S0447	Lokibot	^[1]	Abuse Elevation Control Mechanism: Bypass User Account Control, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Phishing: Spearphishing Attachment, Process Injection: Process Hollowing, Reflective Code Loading, Scheduled Task/Job: Scheduled Task, Scheduled Task/Job, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, User Execution: Malicious File, Virtualization/Sandbox Evasion: Time Based Evasion
S0336	NanoCore	^[1]	Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: Visual Basic, Encrypted Channel: Symmetric Cryptography, Impair Defenses: Disable or Modify Tools, Impair Defenses: Disable or Modify System Firewall, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, System Network Configuration Discovery, Video Capture
S0198	NETWIRE	^[1]	Application Layer Protocol: Web Protocols, Application Window Discovery, Archive Collected Data: Archive via Custom Method, Archive Collected Data, Automated Collection, Boot or Logon Autostart Execution: XDG Autostart Entries, Boot or Logon Autostart Execution: Login Items, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Unix Shell, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Create or Modify System Process: Launch Agent, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Data Staged: Local Data Staging, Encrypted Channel, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Invalid Code Signature, Masquerading: Match Legitimate Name or Location, Modify Registry, Native API, Non-Application Layer Protocol, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Phishing: Spearphishing Attachment, Phishing: Spearphishing Link, Process Discovery, Process Injection, Process Injection: Process Hollowing, Proxy, Scheduled Task/Job: Cron, Scheduled Task/Job: Scheduled Task, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, User Execution: Malicious Link, User Execution: Malicious File, Web Service

References

Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.

Renals, P., Conant, S. (2016). SILVERTERRIER: The Next Evolution in Nigerian Cybercrime. Retrieved November 13, 2018.

SilverTerrier

Enterprise Layer

Techniques Used

Software

References