SilverTerrier

SilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier mainly targets organizations in high technology, higher education, and manufacturing.[1][2]

ID: G0083
Version: 1.1
Created: 29 January 2019
Last Modified: 19 May 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

SilverTerrier uses HTTP for C2 communications.[1]

.002 Application Layer Protocol: File Transfer Protocols

SilverTerrier uses FTP for C2 communications.[1]

.003 Application Layer Protocol: Mail Protocols

SilverTerrier uses SMTP for C2 communications.[1]

Software

ID Name References Techniques
S0331 Agent Tesla [1] Account Discovery: Local Account, Application Layer Protocol: Mail Protocols, Application Layer Protocol: Web Protocols, Archive Collected Data, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Session Hijacking, Clipboard Data, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Deobfuscate/Decode Files or Information, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Exploitation for Client Execution, Hide Artifacts: Hidden Files and Directories, Hide Artifacts: Hidden Window, Impair Defenses: Disable or Modify Tools, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Phishing: Spearphishing Attachment, Process Discovery, Process Injection, Process Injection: Process Hollowing, Scheduled Task/Job: Scheduled Task, Screen Capture, System Binary Proxy Execution: Regsvcs/Regasm, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery, Unsecured Credentials: Credentials in Registry, Unsecured Credentials: Credentials In Files, User Execution: Malicious File, Video Capture, Virtualization/Sandbox Evasion, Windows Management Instrumentation
S0334 DarkComet [1] Application Layer Protocol: Web Protocols, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Clipboard Data, Command and Scripting Interpreter, Command and Scripting Interpreter: Windows Command Shell, Impair Defenses: Disable or Modify Tools, Impair Defenses: Disable or Modify System Firewall, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Match Legitimate Name or Location, Modify Registry, Obfuscated Files or Information: Software Packing, Process Discovery, Remote Services: Remote Desktop Protocol, System Information Discovery, System Owner/User Discovery, Video Capture
S0447 Lokibot [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Phishing: Spearphishing Attachment, Process Injection: Process Hollowing, Reflective Code Loading, Scheduled Task/Job: Scheduled Task, Scheduled Task/Job, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, User Execution: Malicious File, Virtualization/Sandbox Evasion: Time Based Evasion
S0336 NanoCore [1] Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: Visual Basic, Encrypted Channel: Symmetric Cryptography, Impair Defenses: Disable or Modify Tools, Impair Defenses: Disable or Modify System Firewall, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, System Network Configuration Discovery, Video Capture
S0198 NETWIRE [1] Application Layer Protocol: Web Protocols, Application Window Discovery, Archive Collected Data: Archive via Custom Method, Archive Collected Data, Automated Collection, Boot or Logon Autostart Execution: XDG Autostart Entries, Boot or Logon Autostart Execution: Login Items, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Unix Shell, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Create or Modify System Process: Launch Agent, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Data Staged: Local Data Staging, Encrypted Channel, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Invalid Code Signature, Masquerading: Match Legitimate Name or Location, Modify Registry, Native API, Non-Application Layer Protocol, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Phishing: Spearphishing Attachment, Phishing: Spearphishing Link, Process Discovery, Process Injection, Process Injection: Process Hollowing, Proxy, Scheduled Task/Job: Cron, Scheduled Task/Job: Scheduled Task, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, User Execution: Malicious Link, User Execution: Malicious File, Web Service

References