Over the past week, Interpol has announced two successful operations which resulted in the arrest of several individuals believed to be behind a string of cyberattacks as well as operations to disrupt criminal operations. Both operations resulted in the arrest of Nigerian citizens believed to be behind malware-assisted financial attacks and Business Email Compromise (BEC) scams.
The latest announcement involved an operation dubbed “Killer Bee” which was led by Interpol with the assistance of Nigerian law enforcement as well as law enforcement agencies from 11 southeastern Asian countries culminated in the arrest of three Nigerian nationals.
Those arrested are suspected of using remote access trojans (RATs) to reroute financial transactions and steal account credentials. The three individuals arrested are believed to be part of a wider gang known for targeting large corporations, particularly those involved in the oil and gas industry.
While the announcement makes no mention of the gang's victims or the amount of money potentially stolen, it did go on to say traces of the RAT Agent Tesla were present on devices seized by law enforcement.
The malware first appeared on security researcher radars in 2014 and the past, the malware has used numerous methods to escape detection and analysis making any researcher’s job much harder. According to Qualys,
“Agent Tesla mainly gets delivered through phishing emails and has capabilities such as keylogging, screen capture, form-grabbing, credential stealing, and more. It will also exfiltrate credentials from multiple software programs like Google Chrome, Mozilla Firefox, and Microsoft Outlook – making its potential impact truly catastrophic…The malware itself goes through multiple layers of unpacking before deploying its final payload, which is very similar behavior to what’s found in families like Formbook. Agent Tesla is dotnet compiled malware and uses a steganography technique. We have observed a sudden increase in the use of this technique.”
In this case, it is believed Agent Tesla was used to steal account credentials from targeted organizations as well as a grant to access email communications and perform surveillance.
This is required to lay the groundwork for a successful BEC attack, as the malicious actors know when to strike and what convincing details to present the victim with.
It is also worth noting that Agent Tesla is seeing widespread deployment at this time, with a recent ASEC’s malware detection reports putting the malware at the top of the list, above Formbook, RedLine, Lokibot, Qakbot, and AveMaria.
The second announcement by Interpol involved an operation codenamed Delilah which resulted in the arrest of the suspected head of the Silver Terrier BEC gang. The gang has been active since 2015 and expanded into a massive BEC and phishing operation, with many of its members originating from Nigeria.
The Nigerian Police Force arrested a 37-year-old Nigerian suspect at the Murtala Mohammed International Airport in Lagos who is believed to be the head of the gang. At the time of his arrest, he was believed to be in the process of fleeing the country and even attempted to sell a vehicle via social media.
The gang has been on Interpol’s radar for some time and has been the target of two previous sting operations Falcon I and Falcon II. The first of the Falcon operations resulted in the arrest of three members of the gang, while the second operation resulted in the arrest of 11 individuals.
The gang is believed to have compromised up to 500,000 organizations' email infrastructure across 150 countries.
Palo Alto’s Unit 42, who assisted Interpol throughout all three operations noted,
“Unit 42 tracks Nigerian BEC actors under the name SilverTerrier. Following the arrest of 11 BEC actors as part of Operation Falcon II in December 2021, this recent operation is significant in that it demonstrates the resolve of global law enforcement to hold BEC actors accountable despite temporary setbacks. Specifically, in this case, the SilverTerrier actor fled Nigeria in 2021 when authorities initially attempted to apprehend him. Months later, in March 2022, he attempted to return home and was quickly identified and detained as he attempted to re-enter Nigeria. This level of international cooperation, tracking of actors as they travel internationally and subsequent apprehension of actors upon returning to their home countries represents a laudable advancement in the ability of global law enforcement organizations to combat these types of crimes.”
BEC scams continue to be one of the most profitable cyber fraud scams currently impacting the corporate world. The Federal Bureau of Investigation (FBI) said that the amount of money lost to business email compromise (BEC) scams continue to grow each year.
With a 65% increase in the identified global exposed losses between July 2019 and December 2021. Most of that money landed up in banks located in Hong Kong and Thailand. It is hoped that the successful operations conducted by Interpol continue.