SilverTerrier

SilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier mainly targets organizations in high technology, higher education, and manufacturing.[1][2]

ID: G0083
Version: 1.1
Created: 29 January 2019
Last Modified: 19 May 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .003 Application Layer Protocol: Mail Protocols

SilverTerrier uses SMTP for C2 communications.[1]

.001 Application Layer Protocol: Web Protocols

SilverTerrier uses HTTP for C2 communications.[1]

.002 Application Layer Protocol: File Transfer Protocols

SilverTerrier uses FTP for C2 communications.[1]

Software

ID Name References Techniques
S0331 Agent Tesla [1] Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Application Layer Protocol: Mail Protocols, Archive Collected Data, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Clipboard Data, Credentials from Password Stores, Deobfuscate/Decode Files or Information, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Hide Artifacts: Hidden Window, Impair Defenses: Disable or Modify Tools, Ingress Tool Transfer, Input Capture: Keylogging, Man in the Browser, Obfuscated Files or Information, Process Discovery, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery, User Execution: Malicious File, Video Capture, Virtualization/Sandbox Evasion
S0334 DarkComet [1] Application Layer Protocol: Web Protocols, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Clipboard Data, Command and Scripting Interpreter, Command and Scripting Interpreter: Windows Command Shell, Impair Defenses: Disable or Modify Tools, Impair Defenses: Disable or Modify System Firewall, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Match Legitimate Name or Location, Modify Registry, Obfuscated Files or Information: Software Packing, Process Discovery, Remote Services: Remote Desktop Protocol, System Information Discovery, System Owner/User Discovery, Video Capture
S0447 Lokibot [1] Application Layer Protocol: Web Protocols, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Exfiltration Over C2 Channel, Hide Artifacts: Hidden Files and Directories, Input Capture: Keylogging, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Process Injection: Process Hollowing, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, User Execution: Malicious File
S0336 NanoCore [1] Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Encrypted Channel: Symmetric Cryptography, Impair Defenses: Disable or Modify Tools, Impair Defenses: Disable or Modify System Firewall, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, System Network Configuration Discovery, Video Capture
S0198 NETWIRE [1] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Input Capture: Keylogging, Masquerading: Invalid Code Signature, Screen Capture, System Information Discovery

References