14 DAY TRIAL // After running 419 scams, a group of Nigerians changed their activity and now target victims in Taiwan and South Korea, using cheap software designed to take control over their computer systems.
Palo Alto Networks, a Santa Clara-based network security firm, released a report showing that Nigerian cybercrooks started to employ remote access tools (RATs) in order to gain access to the victim’s system, be it Windows, Mac or Linux.
They managed to track the origin of a malware campaign to IP addresses in Nigeria and also found evidence of 419 scammers learning the tricks of the trade for using malware in order to steal from their victims.
Researchers found that the crooks relied mainly on two pieces of malware to render their attacks undetectable. One is called NetWire and its purpose is to provide access to the remote machine via a graphical interface.
The second, dubbed DataScrambler, is used for encrypting the RAT in order to avoid antivirus detection; the malware is delivered via email, as an attachment.
In some of the email samples discovered by Palo Alto Networks, the malicious executable file was called “Quatation For Iran May Order.exe,” and it appears that at that time it was detected by only two of the 51 antivirus engines that scanned it on VirusTotal.
During the investigation of this type of attack, the security researchers identified additional ones, with similar traits. The tracking of this malicious campaign was called “Silver Spaniel.”
The Californian security firm is not aware how the former 419 Nigerian scammers choose their victims, but they noticed that targets were companies in Taiwan and South Korea.
It appears that despite their remarkable social engineering skills, these cybercriminals have still a lot to learn about malware.
They purchase ready-made tools from underground forums, do not have experience with coding, and no software vulnerability is leveraged to infect the computer. Instead, they rely on social engineering for tricking the victim into installing the malware.
According to the results of the investigation, the scammers set up the remote access tools to connect to a dynamic DNS domain from NoIP.com. They also use a VPN service to route the traffic through a different IP address than the one provided by the ISP.
“Silver Spaniel actors’ objective appears to be stealing passwords and other data they can use to further compromise their victim. Thus far we have not observed any secondary payloads installed or any lateral movement between systems, but cannot rule out this activity,” says the Palo Alto Networks report.