Nigeria’s 419 Scammers Trade Up to Info-Stealing Trojan Attacks

Nigeria’s 419 Scammers Trade Up to Info-Stealing Trojan Attacks
Nigeria’s 419 Scammers Trade Up to Info-Stealing Trojan Attacks

Nigeria’s 419 scammers have changed their tactics and are now more likely to be targeting businesses with information-stealing malware, according to new research from Palo Alto Networks.

The vendor’s new 419 Evolution report reveals that, although experts in social engineering with their infamous advanced-fee fraud scams, the Nigerian cybercriminals are novices when it comes to launching malware campaigns.
 
Palo Alto’s newly created Unit 42 threat intelligence arm detailed one such campaign, Silver Spaniel, aimed at its Taiwanese and South Korean customers.
 
The malware in question, NetWire, is a Remote Administration Tool (RAT) readily available on underground forums.
 
Typically it’s hidden in an email attachment, with the attackers opting thus far not to exploit any software vulnerabilities but instead relying on social engineering to trick users into installing the RAT.
 
The attackers apparently configure each RAT to connect to a No-IP dynamic DNS domain and use a VPN to hide their IP address.
 
Popular crypter tool DataScrambler is also used to help evade detection by many AV tools, the report said.
 
“Silver Spaniel actors’ objective appears to be stealing passwords and other data they can use to further compromise their victim,” it continued. “Thus far we have not observed any secondary payloads installed or any lateral movement between systems, but cannot rule out this activity.”
 
It’s clear that their efforts are still a work in progress, given the “tactics, techniques and procedures” used are relatively unsophisticated. For example, several attackers have been spotted by Palo Alto because they exposed their IP address, the report claimed.
 
It revealed one particular Silver Spaniel attacker, Ojie Victor, who posted incriminating comments online about malware using a Facebook account featuring a profile pic of himself.
 
One reads: “the crypter works well now but why is it that there is no crypter to crypt zeus botnet?”.
 
Victor is also linked to the “lovenotwars” handle which researchers believe could have been used to scam dating website users.
 
“While we have not connected Ojie Victor to specific attacks on Palo Alto Networks customers, his activities represent the characteristics of the Silver Spaniel campaign: individuals who began their criminal careers operating 419 scams and are evolving their craft to use malware tools found on underground forums,” the report noted.

The good news is that Silver Spaniel tools and tactics can be mitigated with a “well-managed network”, according to Palo Alto.
 
Best practice tips listed include blocking and examining executable files and attachments; decrypting webmail traffic to inspect emails for malicious attachments; educating users; and blocking access to commonly abused dynamic DNS domains.
 
Despie their relative lack of experience, the Silver Spaniel attackers represent a growing risk to businesses, the report concluded.
 
“At this time we do not expect Silver Spaniel actors to begin developing new tools or exploits, but they are likely to adopt new tools made by more capable actors,” it warned.
 
“Specific individuals within this attack group have demonstrated either an extreme lack of understanding of operational security, or simply believe they stand no chance of being caught and prosecuted. It is likely that shining light on this activity will cause these actors to change their tactics and begin tightening their security procedures.” 

What’s hot on Infosecurity Magazine?