Background
SilverTerrier is the name applied by Palo Alto Unit 42 to a broad cluster of Nigerian cybercriminals conducting business email compromise (BEC) and commodity malware campaigns targeting organizations globally. Rather than a single organized group, SilverTerrier represents the collective activity of numerous loosely affiliated Nigerian threat actors who share tools, techniques, and social networks within the Nigerian cyber underground.
Since at least 2014, SilverTerrier actors have evolved from basic 419 advance- fee fraud to sophisticated BEC operations that generate hundreds of millions of dollars in annual losses. BEC fraud involves impersonating executives, vendors, or business partners via compromised or spoofed email accounts to redirect legitimate business payments to attacker-controlled accounts. The FBI's Internet Crime Complaint Center (IC3) consistently ranks BEC as the highest-loss cybercrime category, with over $2.9 billion in reported U.S. losses in 2023 alone.
SilverTerrier actors deploy commodity remote access trojans and keyloggers to harvest email credentials, monitor victim email accounts for payment-related conversations, and time fraudulent payment requests to coincide with legitimate transactions. The infrastructure and tooling are unsophisticated by nation-state standards, but the social engineering and operational patience demonstrated by these actors is exceptional.
Notable Campaigns
COVID-19 Relief Fund Targeting (2020-2021): During the pandemic, SilverTerrier actors pivoted to targeting healthcare organizations, unemployment systems, and government relief programs. Unit 42 tracked over 170 Nigerian BEC actors who compromised healthcare organizations and government agencies during this period, exploiting pandemic-related financial workflows and the transition to remote work.
Real Estate Wire Fraud Operations: SilverTerrier actors have caused significant losses through real estate wire fraud, compromising email accounts involved in property transactions and redirecting closing funds. The FBI reports that real estate wire fraud losses exceeded $446 million in 2023, with Nigerian BEC actors responsible for a significant portion.
Interpol Operation Delilah (2022): International law enforcement operations coordinated by Interpol disrupted multiple SilverTerrier-affiliated BEC networks, resulting in dozens of arrests across Nigeria and other African countries. The operations highlighted the transnational law enforcement challenge posed by distributed BEC networks.
Supply Chain Impersonation Campaign (2023-2024): SilverTerrier actors increasingly compromised supplier email accounts to send fraudulent invoices from legitimate email addresses, evading domain spoofing detection controls. This evolution from spoofing to account takeover reflects adaptation to improved email security controls.
Tactics, Techniques & Procedures
SilverTerrier operations follow a consistent pattern. Initial access is gained through phishing emails (T1566.001, T1566.002) delivering commodity RATs and keyloggers. Targets are typically selected by searching public records, LinkedIn, and business directories for finance, accounting, and executive contacts at high-value organizations. Volume-based phishing campaigns are run against thousands of potential targets simultaneously.
Once a RAT or keylogger is installed, actors harvest email credentials (T1539), webmail session cookies, and VPN credentials. Compromised email accounts are monitored for months (T1114), with actors reading correspondence to identify pending payment transactions, understand business relationships, and craft convincing impersonation scenarios. Fraudulent payment instructions are timed to coincide with legitimate transactions and sent from compromised or look-alike domains.
Money mule networks are used to receive and quickly distribute diverted funds, with layers of domestic and international transfers to complicate recovery. SilverTerrier actors typically wire funds through multiple countries within hours of receipt.
Tools & Malware
- LokiBot: Commodity credential stealer and keylogger targeting browsers, email clients, and VPN software.
- AgentTesla: Popular .NET-based keylogger and credential harvester with email exfiltration capabilities.
- AzoRult: Credential and cookie stealer frequently bundled with other malware in multi-stage delivery chains.
- Pony Stealer: Credential harvester targeting over 110 applications including FTP clients, email clients, and browsers.
- NanoCore / AsyncRAT / Remcos: Full-featured RATs providing interactive access to compromised systems for long-term monitoring.
- HawkEye: Keylogger and credential harvester with email-based exfiltration to attacker-controlled accounts.
Indicators & Detection
The primary defense against SilverTerrier BEC operations is a combination of email security controls and financial process verification. Implement DMARC, DKIM, and SPF on all email domains to reduce spoofed email delivery. Enable multi-factor authentication on all email and webmail accounts to prevent account takeover following credential theft.
For financial controls, establish out-of-band verification procedures for all payment instruction changes. Never process wire transfer updates based solely on email instructions — require voice verification to a known phone number on file. Train finance and accounting staff to recognize BEC social engineering patterns, particularly urgency framing and executive impersonation.
Endpoint detection should identify commodity RAT artifacts and keylogger behavior, including unusual process access to browser credential stores and LSASS. Monitor email gateway logs for forwarding rules added to executive and finance mailboxes, which SilverTerrier actors add to maintain long-term visibility into email correspondence after the initial compromise.