Skip to content

G0083 SilverTerrier

SilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier mainly targets organizations in high technology, higher education, and manufacturing.21

Item Value
ID G0083
Associated Names
Version 1.2
Created 29 January 2019
Last Modified 27 September 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols SilverTerrier uses HTTP for C2 communications.2
enterprise T1071.002 File Transfer Protocols SilverTerrier uses FTP for C2 communications.2
enterprise T1071.003 Mail Protocols SilverTerrier uses SMTP for C2 communications.2
enterprise T1657 Financial Theft SilverTerrier targets organizations in high technology, higher education, and manufacturing for business email compromise (BEC) campaigns with the goal of financial theft.21

Software

ID Name References Techniques
S0331 Agent Tesla 2 Local Account:Account Discovery Web Protocols:Application Layer Protocol Mail Protocols:Application Layer Protocol Archive Collected Data Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Browser Session Hijacking Clipboard Data Credentials from Web Browsers:Credentials from Password Stores Credentials from Password Stores Deobfuscate/Decode Files or Information Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Exploitation for Client Execution Hidden Window:Hide Artifacts Hidden Files and Directories:Hide Artifacts Disable or Modify Tools:Impair Defenses Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information Spearphishing Attachment:Phishing Process Discovery Process Injection Process Hollowing:Process Injection Scheduled Task:Scheduled Task/Job Screen Capture Regsvcs/Regasm:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery Wi-Fi Discovery:System Network Configuration Discovery System Owner/User Discovery System Time Discovery Credentials In Files:Unsecured Credentials Credentials in Registry:Unsecured Credentials Malicious File:User Execution Video Capture Virtualization/Sandbox Evasion Windows Management Instrumentation
S0334 DarkComet 2 Web Protocols:Application Layer Protocol Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Clipboard Data Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Disable or Modify System Firewall:Impair Defenses Disable or Modify Tools:Impair Defenses Ingress Tool Transfer Keylogging:Input Capture Match Legitimate Resource Name or Location:Masquerading Modify Registry Software Packing:Obfuscated Files or Information Process Discovery Remote Desktop Protocol:Remote Services System Information Discovery System Owner/User Discovery Video Capture
S0447 Lokibot 2 Bypass User Account Control:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Visual Basic:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Deobfuscate/Decode Files or Information Exfiltration Over C2 Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Software Packing:Obfuscated Files or Information Obfuscated Files or Information Spearphishing Attachment:Phishing Process Hollowing:Process Injection Reflective Code Loading Scheduled Task:Scheduled Task/Job Scheduled Task/Job System Information Discovery System Network Configuration Discovery System Owner/User Discovery Malicious File:User Execution Time Based Checks:Virtualization/Sandbox Evasion
S0336 NanoCore 2 Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Symmetric Cryptography:Encrypted Channel Disable or Modify System Firewall:Impair Defenses Disable or Modify Tools:Impair Defenses Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information System Network Configuration Discovery Video Capture
S0198 NETWIRE 2 Web Protocols:Application Layer Protocol Application Window Discovery Archive via Custom Method:Archive Collected Data Archive Collected Data Automated Collection Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution XDG Autostart Entries:Boot or Logon Autostart Execution Login Items:Boot or Logon Autostart Execution Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Unix Shell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Launch Agent:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Credentials from Password Stores Local Data Staging:Data Staged Symmetric Cryptography:Encrypted Channel Encrypted Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts Ingress Tool Transfer Keylogging:Input Capture Match Legitimate Resource Name or Location:Masquerading Invalid Code Signature:Masquerading Modify Registry Native API Non-Application Layer Protocol Software Packing:Obfuscated Files or Information Obfuscated Files or Information Fileless Storage:Obfuscated Files or Information Spearphishing Link:Phishing Spearphishing Attachment:Phishing Process Discovery Process Injection Process Hollowing:Process Injection Proxy Cron:Scheduled Task/Job Scheduled Task:Scheduled Task/Job Screen Capture System Information Discovery System Network Configuration Discovery System Network Connections Discovery Malicious File:User Execution Malicious Link:User Execution Web Service

References

  1. Renals, P., Conant, S. (2016). SILVERTERRIER: The Next Evolution in Nigerian Cybercrime. Retrieved November 13, 2018. 

  2. Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.