Silence Group is borrowing Carbanak TTPs in ongoing bank attacks

A cybercrime gang called Silence targeted at least 10 banks in Russia, Armenia, and Malaysia borrowing hacking techniques from the Carbanak group.

A cybercrime gang called Silence targeted at least 10 banks in Russia, Armenia, and Malaysia borrowing hacking techniques from the dreaded Carbanak hacker group that stole as much as $1 billion from banks worldwide.

The Silence gang was uncovered by researchers at Kaspersky Lab who speculate it is imitating the notorious Carbanak group.

“In September 2017, we discovered a new targeted attack on financial institutions. Victims are mostly Russian banks but we also found infected organizations in Malaysia and Armenia. The attackers were using a known but still very effective technique for cybercriminals looking to make money: gaining persistent access to an internal banking network for a long period of time, making video recordings of the day to day activity on bank employees’ PCs, learning how things works in their target banks, what software is being used, and then using that knowledge to steal as much money as possible when ready.” states the report published by Kaspersky.

“We saw that technique before in Carbanak, and other similar cases worldwide.”

The attackers leverage spear-phishing emails with a malicious attachment, the experts pointed out that the Silence group first compromised banking infrastructure in order to send the messages from the addresses of bank employees.

At the time, experts from Kaspersky have no information on how much the Silence group had stolen to date, they confirmed the attacks are still ongoing.

The hackers use legitimate administration tools to fly under the radar making hard the detection of the fraudulent activities.

“This kind of attack has become widespread in recent years, which is a very worrisome trend as it demonstrates that criminals are successful in their attacks.” states Kaspersky Lab.

“The spear-phishing infection vector is still the most popular way to initiate targeted campaigns. When used with already compromised infrastructure, and combined with .chm attachments, it seems to be a really effective way of spreading, at least among financial organizations.”

The group used backdoors to gain persistence on the targeted banks and monitor operations of its employees, the malicious code allows them to upload data, steal credentials, record the screen like the Carbanak does.

Screen grabs allow cyber criminals to create a video recording of daily activity on employees’ computers, such kind of information is essential for the cyber heists.

The experts discovered the hackers leverage a proprietary Microsoft online help format called Microsoft Compiled HTML Help (CHM) because CHM files are interactive and can run JavaScript.

“These files are highly interactive and can run a series of technologies including JavaScript, which can redirect a victim towards an external URL after simply opening the CHM. Attackers began exploiting CHM files to automatically run malicious payloads once the file is accessed.” Kaspersky Lab said.

“Once the attachment is opened by the victim, the embedded .htm content file (“start.htm”) is executed. This file contains JavaScript, and its goal is to download and execute another stage from a hardcoded URL” 

Once the dropper is unpacked and executed from the C&C, a number of payload modules are dropped that allow the attackers to spy on the internal staff of the targeted banks.

One of those modules is the screen monitor, which leveraged the Windows GDI and API tools to create a pseudo-video stream of the victim’s activity by putting together all the collected bitmaps.

Further details are available in the report, including Indicators of Compromise.

Kaspersky will continue to monitor the Silence Group.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Silence group, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]