Threat Management

Silence trojan targets Russian financial intuitions, mimics Carbanak gang

A new banking trojan dubbed “Silence” is using methods similar to those used by the Carbanak gang to target Russian financial institutions.  

The attackers are using the trojan to gain persistent access to an internal banking network for a long period of time, making video recordings bank employees PC activity, learning how things works in their target banks, what software is being used, and then using that knowledge to steal as much money as possible when ready, Kaspersky researchers said in a Nov. 1 blog post.

The malware takes multiple screenshots of a victim's screen to stream information to threat actors giving the threat actors what was described by researchers as a “real-time pseudo-video stream.”

Victims are targeted in spearphishing emails containing the malicious attachment and researchers noted the cybercriminals had already compromised banking infrastructure in order to send the malicious emails from the addresses of real bank employees to look more inconspicuous and fool potential victims.

Kaspersky Lab Security Expert Sergey Lozhkin said it's interesting because the threat actors used the email infrastructure of already-infected banks in order to spread the malware further to other victims, by creating emails with malicious attachments that look.

The trojan uses legitimate administration tools to fly under the radar. The malicious attachment used in the infection is a “Microsoft Compiled HTML Help” file and the payloads are a number of modules executed on the infected system for various tasks like screen recording, data uploading etc, the post said.

“After the initial infection, the Trojan gives the attacker a way to upload files and run commands, and it's quite often that cybercriminals use legitimate tools like winexesvc to evolve within infected networks, running console commands, etc.,” Lozhkin said. “This is not hard for an attacker that possesses some IT knowledge.”

A Russian-speaking group may be behind the attacks as they have primarily only targeted Russian banks with the exception of a few infections spotted in Malaysia and Armenia, researchers said in the report.

The attacks were discovered in September 2017 and the trojan is apparently being used in multiple international locations suggesting those behind the attacks are expanding the activity of the group. Lozhkin said overall, there is nothing especially unique about the malware noting its similarity to Carbanak.

As spearphishing attacks like this continue to have a good return on investment for threat actors, researchers recommend the use or preventive advanced detection technologies that are capable of detecting all types of anomalies and scrutinizing suspicious files.

“The major threat to banks used to be physical bank robbers, so banks used a safe and minimal cash in the tills," Imperva Chief Technology Officer Terry Ray told SC Media. "So, they got bigger safes. But then the threat and security solutions evolved, so banks used video cameras in the customer part of the bank, then in the safe, then over the tils."

Ray said cyber criminals use multi-stage attacks to infiltrate and then move laterally until they get the data they are after. Some researchers argue banks need to make their credentials useless in the hands of threat actors. NuData Security Vice President Ryan Wilk said techniques such as passive biometrics could  help with this.

"The Silence group was able to monitor the infected computers and look at the credentials and the information that was being submitted," Wilk said. "With a layered authentication, hackers are still able to install the Silence Trojan and monitor computers to steal passwords and credentials but they are not able to use them to finalise a transaction – the hacker can't replicate the additional layer that verifies the real user's inherent behaviour."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.