Skip to main content

Silence, Carbanak is back!

Kaspersky Lab experts have found a new trojan that was deployed to aid cyber-heists of banks in Russia, Armenia, and Malaysia. Experts named the new trojan Silence.

According to Kaspersky's GReAT investigation team, the trojan was spotted for the first time in September this year. Most of the attacks were against Russian banks.

While there are no clues to link the trojan to the infamous Carbanak gang (hacker group specialized in robbing banks), the attacker's mode of operation resembles some past Carbanak techniques. At this point, the Silence attacks could be a new Carbanak operation or the work of copycats that modeled their modus operandi based on Carbanak reports released by cyber-security firms.

How the Silence attacks happened

Experts were able to piece together how an attack with the Silence trojan works. It all begins with the hackers gaining access to a bank employee's email account. This can be done with malware or because the employee had reused passwords from accounts included in publicly leaked datasets.
The Silence group uses the bank employee's compromised account to send spear-phishing emails to other bank workers. The purpose is to identify other employees with access to sensitive bank management systems.
These emails contain a CHM (compiled HTML) file attachment. If the victim downloads and opens this file, the CHM file runs JavaScript commands that download and install a first-stage malware payload.
This is what experts call a "dropper." In this particular case, it's a Win32 executable that collects data on infected hosts and sends the info to the attackers' command and control (C&C) servers.

Silence works by recording a pseudo-video stream

If the C&C servers deem the PC valuable, they send over a second-stage payload, the Silence trojan. Silence's main feature is its ability to take repeated screenshots of the user's desktop.

The images are taken at quick intervals and uploaded to the C&C server, creating a real-time pseudo-video stream with the bank employee's activity.
Attackers most likely chose to take screenshots instead of recording an actual video because it uses fewer PC resources and allows Silence to remain undetected, hence the trojan's name.

The Silence group can later review these screenshots and look for data that may aid them in planning further stages of their attack, such as identifying URLs for internal bank money management systems, local applications they can exploit, or get an overview of other computers on the local network.
According to Kaspersky, the group then leverages legitimate Windows administration tools to fly under the radar in their post-exploitation phase, a technique used by the Carbanak group in the past.

Kaspersky did not reveal how the attack continues past this point, which banks were infected, or how much money attackers stole.

Bank robbers are getting creative

The Silence attacks are not the only cyber-heists carried out against Russian banks. Trustwave SpiderLabs found another hacking crew that used a new "overdraft" technique to rob banks, managing to steal over $40 million from several Eastern European financial organizations.

Other clever techniques used by Carbanak in past attacks include the use of Google legitimate services — Google Apps Script, Google Sheets, and Google Forms — to host C&C servers; and calling and tricking tech support department employees into opening malware-laden documents. The computers of tech support department employees are then used as pivot points for attacks or reconnaissance operations.

A technical analysis of the Silence trojan, along with IOCs, are available in Kasperksy's report here.

Source: https://www.bleepingcomputer.com/news/security/-silence-trojan-records-pseudo-videos-of-bank-pcs-to-aid-bank-cyber-heists/

Comments

Popular posts from this blog

‘Infraud’ Cybercrime Forum is Busted, 13 hackers arrested & 36 charged

The U.S. Justice Department announced charges on Wednesday against three dozen individuals thought to be key members of ‘ Infraud ,” a long-running cybercrime forum that federal prosecutors say cost consumers more than a half billion dollars. In conjunction with the forum takedown, 13 alleged Infraud members from the United States and six other countries were arrested. Started in October 2010, Infraud was short for “In Fraud We Trust,” and collectively the forum referred to itself as the “Ministry of Fraudulently [sic] Affairs.” As a mostly English-language fraud forum, Infraud attracted nearly 11,000 members from around the globe who sold, traded and bought everything from stolen identities and credit card accounts to ATM skimmers, botnet hosting and malicious software. “Today’s indictment and arrests mark one of the largest cyberfraud enterprise prosecutions ever undertaken by the Department of Justice,” said John P. Cronan , acting assistant attorne

Czech Republic announced it had extradited the Russian hacker Yevgeni Nikulin (29) to the United States

Yevgeni Nikulin (29) was requested by the US for alleged cyber attacks on social networks and by the Russian authorities that charged him with frauds. According to US authorities, the man targeted LinkedIn and Formspring and hacked into the file hosting service Dropbox. The Russian criminal was arrested in Prague in October 2016 in an international joint operation with the FBI. The case in the middle of an arm wrestling between Moscow and Washington, the US Government are accusing Russia to have interfered with 2016 Presidential election  through hacking . Source: US Defense Watch.com In May, a Czech court ruled that Nikulin can be extradited to either Russia or the United States, leaving the final decision to the Justice Minister Robert Pelikan. “It is true there have been two meetings this year where the president asked me not to extradite a Russian citizen to the United States but to Russia,” the website of the weekly newspaper Respekt quoted Pelikan as sayin

Russian crime gang stole 3.8 million slopes (860,000 euros) from 32 ATMs from the Raiffeisen Romania bank

Cybercriminals stole 3.8 million slopes (860,000 euros) from 32 ATMs belonging to the Raiffeisen Romania bank using an infected RTF document. The criminal organization led by Dmitriy Kvasov operated in Romania, the gang stole the money in just one night in 2016. “One night Raiffeisen Bank lost control of all ATMs in Romania • Although it seems impossible, the control of ATMs across the country was taken over by a group of Russian hackers • It is one of the biggest thefts of cash money in the history of Romania, and the authorities did not blow a word” reported the website  bzi .ro. The Organized Crime and Counterterrorism Office (DIICOT) who investigated the culprits managed to arrest the leader of the criminal organization. The Russian hackers launched a spear-phishing attack against Raiffeisen Romania between August 9, 2016, and September 4, 2016, they sent email messaging using a weaponized RTF document. The bait document that appeared as sent on behalf of th