Nigerian Fraudsters Prefer Remote Trojans For Scamming

November 1, 2019
Remote Trojans

Nigerian business email compromise scams are growing more dangerous and sophisticated as cybercriminals add new tools and techniques to their arsenal such as remote access trojans (RATs) and advanced information stealers.

But even beyond soaring cybercriminal incidents, criminals are becoming less of a pesky threat, such as Nigerian Prince 419-style email scams, and more dangerous. Unit 42 said the same threat actors have now adopted damaging RATs such as NetWire and NanoCore, allowing them to strengthen their attacks and cast a wider net when it comes to targeting victims.


Cyber security researchers, which have been tracking 15 commodity malware families employed by Nigerian actors over the years, have attributed more than 30,000 samples of malware to roughly 300 unique actors in 2017. Of these malware families, nine represented a more traditional method for Nigerian cybercriminals – information stealers.

Nigerian threat actors, identified as SilverTerrier, are currently producing an average of 840 unique samples of information stealer malware per month, a 17 percent increase over the past year. The most popular information stealers include the well-known password stealer, Pony, which has existed in varying forms since 2012.


Two new information stealers, hybrid Android malware LokiBot and advanced keystroke logger Agent Tesla, have also emerged as more popular malware tools. “These two families have demonstrated steady growth over the past year, and we anticipate they will continue to climb in popularity and deployment over the next year,” according to the researchers.


These types of malware were used in a cyberattack discovered in June by a different group of researchers, where Nigerian cybercriminals targeted industrial firms to steal a slew of sensitive technical drawings, network diagrams, and project plans using BEC attacks. The bad actors used data sniffing tools from eight different malware families – including ZeuS, Pony, LokiBot, and a variety of RATs.


Beyond information stealers, Nigerian scammers are gaining remote access to compromised systems via a slew of RATs such as remote access trojans NetWire, NanoCore, and DarkComet, which can spy on the victims by taking screen captures or password stealing.  Using these tools, hackers can capture keystrokes, monitor web cameras, access network resources and provide remote desktop connections.


While the capabilities of ( RATs ) Remote Trojans exceed those of information stealers, the tools require greater technical expertise to employ – indicating that hackers are not just becoming more sophisticated but also have a more substantial infrastructure.

It remains clear that Nigerian threat actors will continue to expand their attacks in terms of size, scope and capabilities.


The threat actors themselves are mostly educated adults ranging in age from their 20s to 40s, researchers said. Many participate in cybercrime as a means to supplement legitimate employment, and most are currently also leveraging social media platforms as tools to promote organization and collaboration.


About the author

Leave a Reply