A Nigerian cybercrime gang versed in 419 social engineering scams has diversified into using off-the-shelf RAT tools to attacks Taiwanese and South Korean businesses, according to researchers working for Palo Alto Networks.
Dubbed ‘Silver Spaniel’, the firm’s report on the gang offers an interesting insight into the software innovations that have turned malware attacks into a global cottage industry far beyond its assumed heartlands of Russia and China.
The group started targeting around 20 organisations in Asian countries in May using attachments and social engineering to trick people into loading popular Remote Access Trojans (RATs), including the multi-platform NetWire and DarkComet as well as the DataScrambler AV evasion tool. The object appears to be to steal logins for anything and everything.
This isn’t a sophisticated MO but it doesn’t have to be; according to Palo Alto only two of 51 anti-virus engines on VirusTotal detected the attachment’s executable as being suspicious thanks to automated polymorphism that cranks out numerous variants of the same malware.
It’s also slapdash in ways that would have practiced cybercriminals frowning, revealing command and control IP addressed leading to Nigerian mobile networks. The company hasn’t traced these to specific individuals but concludes that the perpetrators feel that there is little chance of detection and so don’t bother to hide their general origin.
This brazen attitude is demonstrated by the example of a named Nigerian (not necessarily connected to Silver Spaniel but who has allegedly used 419s) who feels confident enough to post queries about specific RATs using a real Facebook profile.
“These Silver Spaniel malware activities originate in Nigeria and employ tactics, techniques and procedures similar to one another. The actors don’t show a high level of technical acumen, but represent a growing threat to businesses that have not previously been their primary targets,” said Palo Alto’s Unit 42 intelligence director, Ryan Olson.
The gang either wasn’t particularly techie or simply didn’t care whether people knew who they were because their chances of being caught were slim, he said.
The larger point is that the tools on offer are powerful enough to evade AV, can be rented on one PC for as little as $40 for six months and can be used to pave the way for more complex payloads. Low-level criminals tiring of trying to make a living using well-rehearsed but increasingly ineffective 419 email scams have noticed the new opportunity.
Named after the section of the Nigerian penal code covering fraud crime, people wrote off 419 scams as ludicrous and yet they worked for years. Now the same Nigerian industry seems to be trying its hand at more complex malware.