New financially motivated attacks in Western Europe traced to Russian-speaking threat actors

Pierluigi Paganini March 27, 2020

Researchers at Group-IB observed new financially motivated attacks in Western Europe traced to Russian-speaking threat actors.

Group-IB, a Singapore-based cybersecurity company that specializes in preventing cyberattacks, has detected successful attacks in Western Europe carried out in late January 2020 traced to Russian-speaking threat actors.

At least two companies operating in pharmaceutical and manufacturing sectors have been affected. Group-IB has immediately contacted the victims upon discovery. The tools used in the attacks were traced to Silence and TA505 – Russian-speaking financially-motivated groups.

According to industry researchers, TA505 is known to have carried out attacks on banks, medical institutions retailers and other businesses in the past. At the same time, banks and financial organizations have long been the only targets of Silence. If the latter are the ones to blame, this marks the first time the gang has launched the attacks against pharmaceutical and manufacturing companies and may indicate a significant shift in their modus operandi. 

The malware samples used in the European attacks showed up on VirusTotal on February 2 and have been classified as Silence.ProxyBot (MD5: ce04972114bbd5844aa2f63d83cdd333) and 2 upgraded versions of Silence.MainModule (363df0b3c8b7b390573d3a9f09953feb & 800060b75675493f2df6d9e0f81474fd). During the analysis of these samples Group-IB Threat Hunting Intelligence team has identified at least two affected companies from Belgium and Germany.

The victims have been notified by Group-IB and provided with all the information to stop the incidents. In addition to the victims, Group-IB experts have managed to establish the CnCs used during the attacks 195.123.246[.]126 and 37.120.145[.]253.

The former has been active since late January 2020. Further analysis of cybercriminals’ infrastructure revealed two other executables had likely been deployed during the European campaign: an LPE exploit for CVE-2019-1405 and CVE-2019-1322 (comahawk.exe) and a Meterpreter stager TinyMet. It’s important to note that TinyMet was compressed using a packer developed by TA505 – a longtime friend of Silence in the business.

The alleged connection between Silence and TA505 was described in Group-IB’s recent report “Silence 2.0: Going Global” for the first time. FlawedAmmyy, a RAT that provides full access to infected machines, is reported to have been used in some of TA505 recent attacks.

Group-IB researchers carried out comparative analysis of Silence.Downloader and FlawedAmmyy.Downloader which revealed that these programs were likely developed by the same person — a Russian speaker who is active on underground forums. In late 2019, Group-IB’s DFIR specialists were called in to address Silence’s attack in Europe which was also carried out with the help of TA505: the latter likely provided access to the compromised bank’s network to the Silence gang. The latest Group-IB’s findings confirm the connection between the two threat actors.

“While the extent of the damage caused is yet unknown, the choice of the targets, that are unorthodox for Silence, gives some basis to believe that this was either a ransomware attack or these companies were compromised as part of a complex supply-chain attack.” comments Rustam Mirkasymov, Head of Dynamic Malware Analysis department at Group-IB.

“Having analyzed the toolset used in the campaign we can assume with moderate confidence that Silence was behind the attacks. There is always a possibility that Silence’s tools could have been sold to another threat actor or borrowed by TA505, for example. Slight modifications of Silence.ProxyBot and Silence.MainModule can be explained by the gang’s attempts to avoid detection as a result of being in the spotlight of security researchers for some time now.”

According to Group-IB’s “Silence 2.0: Going Global” report, issued in August, Silence significantly expanded their geography and increased the frequency of their attacks. The total confirmed amount of funds stolen by Silence has increased fivefold since the publication of Group-IB’s original report on Silence, and is now estimated at USD 4.2 million. Group-IB’s Threat Intelligence team established that Silence has made a number of changes to its TTPs and enhanced its arsenal. Given that the gang represents a growing threat, both of Group-IB’s reports on Silence — (“Silence: Moving into the darkside” and its sequel, “Silence 2.0: Going Global”) — have been made publicly available to help cybersecurity specialists with proper attribution and prevention of new incidents.

About the author Group-IB:

Group-IB is a leading provider of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection. Group-IB is a partner of INTERPOL, Europol, and has been recommended by the OSCE as a cybersecurity solutions provider. Group-IB is a member of the World Economic Forum.   

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Russian-speaking hackers, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment