1. Home
  2. Groups
  3. SilverTerrier

SilverTerrier

SilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier mainly targets organizations in high technology, higher education, and manufacturing.[1][2]

ID: G0083
Version: 1.2
Created: 29 January 2019
Last Modified: 27 September 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 应用层协议: Web Protocols

SilverTerrier uses HTTP for C2 communications.[1]

.002 应用层协议: File Transfer Protocols

SilverTerrier uses FTP for C2 communications.[1]

.003 应用层协议: Mail Protocols

SilverTerrier uses SMTP for C2 communications.[1]
Enterprise T1657 财务窃取

SilverTerrier targets organizations in high technology, higher education, and manufacturing for business email compromise (BEC) campaigns with the goal of financial theft.[1][2]

Software

ID Name References Techniques
S0331 Agent Tesla [1] Windows管理规范, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证, 修改注册表, 剪贴板数据, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 妨碍防御: Disable or Modify Tools, 客户端执行漏洞利用, 屏幕捕获, 应用层协议: Web Protocols, 应用层协议: Mail Protocols, 归档收集数据, 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol, 未加密凭证: Credentials In Files, 未加密凭证: Credentials in Registry, 浏览器会话劫持, 混淆文件或信息, 用户执行: Malicious File, 系统二进制代理执行: Regsvcs/Regasm, 系统信息发现, 系统所有者/用户发现, 系统时间发现, 系统网络配置发现, 系统网络配置发现: Wi-Fi Discovery, 虚拟化/沙盒规避, 视频捕获, 账号发现: Local Account, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入, 进程注入: Process Hollowing, 钓鱼: Spearphishing Attachment, 隐藏伪装: Hidden Window, 隐藏伪装: Hidden Files and Directories, 预定任务/作业: Scheduled Task
S0334 DarkComet [1] 伪装: Match Legitimate Name or Location, 修改注册表, 剪贴板数据, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify System Firewall, 妨碍防御: Disable or Modify Tools, 应用层协议: Web Protocols, 混淆文件或信息: Software Packing, 系统信息发现, 系统所有者/用户发现, 视频捕获, 输入工具传输, 输入捕获: Keylogging, 进程发现, 远程服务: Remote Desktop Protocol, 音频捕获
S0447 Lokibot [1] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 修改注册表, 反射性代码加载, 反混淆/解码文件或信息, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: PowerShell, 应用层协议: Web Protocols, 文件和目录发现, 本机API, 混淆文件或信息: Software Packing, 混淆文件或信息, 滥用权限提升控制机制: Bypass User Account Control, 用户执行: Malicious File, 移除指标: File Deletion, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 虚拟化/沙盒规避: Time Based Evasion, 输入工具传输, 输入捕获: Keylogging, 进程注入: Process Hollowing, 通过C2信道渗出, 钓鱼: Spearphishing Attachment, 隐藏伪装: Hidden Files and Directories, 预定任务/作业: Scheduled Task, 预定任务/作业
S0336 NanoCore [1] 修改注册表, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: Visual Basic, 妨碍防御: Disable or Modify System Firewall, 妨碍防御: Disable or Modify Tools, 混淆文件或信息, 系统网络配置发现, 视频捕获, 输入工具传输, 输入捕获: Keylogging, 音频捕获
S0198 NETWIRE [1] 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证, 代理, 伪装: Match Legitimate Name or Location, 伪装: Invalid Code Signature, 修改注册表, 创建或修改系统进程: Launch Agent, 加密通道: Symmetric Cryptography, 加密通道, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: XDG Autostart Entries, 启动或登录自动启动执行: Login Items, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Unix Shell, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 应用层协议: Web Protocols, 应用窗口发现, 归档收集数据: Archive via Custom Method, 归档收集数据, 数据分段: Local Data Staging, 文件和目录发现, 本机API, 混淆文件或信息: Software Packing, 混淆文件或信息, 混淆文件或信息: Fileless Storage, 用户执行: Malicious File, 用户执行: Malicious Link, 系统信息发现, 系统网络连接发现, 系统网络配置发现, 网络服务, 自动化收集, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入, 进程注入: Process Hollowing, 钓鱼: Spearphishing Link, 钓鱼: Spearphishing Attachment, 隐藏伪装: Hidden Files and Directories, 非应用层协议, 预定任务/作业: Cron, 预定任务/作业: Scheduled Task

References

  1. Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.
  1. Renals, P., Conant, S. (2016). SILVERTERRIER: The Next Evolution in Nigerian Cybercrime. Retrieved November 13, 2018.