New “Silence Trojan” Used in Ongoing Bank Attacks

Silence Trojan is a Fresh Example of Cybercriminals Shifting From Attacks on Users to Direct Attacks Against Banks

Security researchers from Kaspersky Lab are monitoring an ongoing cyber attack against primarily Russian, but also Malaysian and Armenian, financial institutions. The attack is new and has been dubbed ‘Silence’. The researchers make no attribution for the attackers, but note that the attack methodology is broadly similar to that used in earlier successful Carbanak bank attacks.

The attack starts with gaining access to the email account of an employee working in a financial institution. The method is not important — it could be spam-delivered malware or via a re-used password leaked from an unrelated breach. However, once the attackers have access to a genuine employee’s email, they can deliver more compelling spear-phishing attacks against the target bank’s own employees.

Typically, say Kaspersky Lab’s GReAT researchers in a report published Wednesday, “The cybercriminals using Silence send spear-phishing emails as initial infection vectors, often using the addresses of employees of an already infected financial institution, with a request to open an account in the attacked bank. The message looks like a routine request. Using this social engineering trick, it looks unsuspicious to the receiver.”

The spear-phishing email carries a .CHM attachment. This is Microsoft’s own online help format consisting of a collection of HTML pages, indexing and other navigation tools. The point is that CHM files are highly interactive and can contain and run JavaScript. If the target can be enticed to open the attachment, the embedded ‘start.htm’ is automatically run. The JavaScript downloads an obfuscated .VBS script, which in turn downloads the dropper.

In this instance, the dropper is a Win-32 executable that communicates with the attackers’ C&C server. It sends the ID of the infected machine, and downloads and executes malicious payloads. These provide various functions such as screen recording and data uploading. As with the earlier Carbanak attacks, the Silence group now takes its time to learn and understand how the bank operates. The Carbanak group (also known as Anunak) is thought to have stolen upwards of $1 billion over the last few years.

Key to this ‘learning’ phase is the generation of pseudo screen videos. A downloaded ‘monitoring and control’ module “takes multiple screenshots of the victim’s active screen, providing a real-time pseudo-video stream with all the victim’s activity.” Taking individual screenshots rather than a genuine video will use less system resources and help the process remain under the radar of the user.

The information contained in the ‘video’, however, is likely to provide useful data on how the bank works, URLs used in the bank’s management systems, and further exploitable applications. This data is gathered and analyzed by the attackers until they have enough information to strike and steal as much money as possible.

“The Silence Trojan is a fresh example of cybercriminals shifting from attacks on users to direct attacks on banks. We have seen this trend growing recently, as more and more slick and professional APT-style cyber-robberies emerge and succeed. The most worrying thing here is that due to their in-the-shadow approach, these attacks may succeed regardless of the peculiarities of each bank’s security architecture,” notes Sergey Lozhkin, security expert at Kaspersky Lab.

So far, Kaspersky Lab has provided no information on which banks are being attacked, nor whether any (nor how much) money may have been stolen. Nevertheless, the attack is further corroboration that criminals are beginning to attack banks directly for large amounts rather than bank customers for small amounts.

In October 2017, SpiderLab’s described a bank attack that combines cybercriminal and organized crime gangs to steal large amounts of cash via ATM devices. By compromising bank systems, and creating fake accounts with large overdrafts, the attackers were able to withdraw thousands of dollars from various ATMs. SpiderLabs believes that at least four banks in Russia and post-Soviet states have lost an average of $10 million dollars each in this process.


Leave a Reply

Your email address will not be published. Required fields are marked *