Skip to main content

Silence, Carbanak is back!

Kaspersky Lab experts have found a new trojan that was deployed to aid cyber-heists of banks in Russia, Armenia, and Malaysia. Experts named the new trojan Silence.

According to Kaspersky's GReAT investigation team, the trojan was spotted for the first time in September this year. Most of the attacks were against Russian banks.

While there are no clues to link the trojan to the infamous Carbanak gang (hacker group specialized in robbing banks), the attacker's mode of operation resembles some past Carbanak techniques. At this point, the Silence attacks could be a new Carbanak operation or the work of copycats that modeled their modus operandi based on Carbanak reports released by cyber-security firms.

How the Silence attacks happened

Experts were able to piece together how an attack with the Silence trojan works. It all begins with the hackers gaining access to a bank employee's email account. This can be done with malware or because the employee had reused passwords from accounts included in publicly leaked datasets.
The Silence group uses the bank employee's compromised account to send spear-phishing emails to other bank workers. The purpose is to identify other employees with access to sensitive bank management systems.
These emails contain a CHM (compiled HTML) file attachment. If the victim downloads and opens this file, the CHM file runs JavaScript commands that download and install a first-stage malware payload.
This is what experts call a "dropper." In this particular case, it's a Win32 executable that collects data on infected hosts and sends the info to the attackers' command and control (C&C) servers.

Silence works by recording a pseudo-video stream

If the C&C servers deem the PC valuable, they send over a second-stage payload, the Silence trojan. Silence's main feature is its ability to take repeated screenshots of the user's desktop.

The images are taken at quick intervals and uploaded to the C&C server, creating a real-time pseudo-video stream with the bank employee's activity.
Attackers most likely chose to take screenshots instead of recording an actual video because it uses fewer PC resources and allows Silence to remain undetected, hence the trojan's name.

The Silence group can later review these screenshots and look for data that may aid them in planning further stages of their attack, such as identifying URLs for internal bank money management systems, local applications they can exploit, or get an overview of other computers on the local network.
According to Kaspersky, the group then leverages legitimate Windows administration tools to fly under the radar in their post-exploitation phase, a technique used by the Carbanak group in the past.

Kaspersky did not reveal how the attack continues past this point, which banks were infected, or how much money attackers stole.

Bank robbers are getting creative

The Silence attacks are not the only cyber-heists carried out against Russian banks. Trustwave SpiderLabs found another hacking crew that used a new "overdraft" technique to rob banks, managing to steal over $40 million from several Eastern European financial organizations.

Other clever techniques used by Carbanak in past attacks include the use of Google legitimate services — Google Apps Script, Google Sheets, and Google Forms — to host C&C servers; and calling and tricking tech support department employees into opening malware-laden documents. The computers of tech support department employees are then used as pivot points for attacks or reconnaissance operations.

A technical analysis of the Silence trojan, along with IOCs, are available in Kasperksy's report here.



Popular posts from this blog

Javascript Miner: Hacker's Wet Dream

Experiencing lags on your computer? You're probably running a miner that consumes 100% of your CPU. Coin Hive (a JavaScript based miner) is becoming rapidly popular among Malware developers.

Coinhive, as a tool, is a JavaScript library that website owners can load on their site. When users access the site, the Coinhive JavaScript code library executes and mines for Monero, but using the user's CPU resources.

Very smart idea as it was meat to be a replacer for publicities. Coinhive launched on September 14, and its authors advertise it as an alternative to classic advertising. Coinhive claims that webmasters can remove ads from their sites, and load the Coinhive library and mine for Monero using a small portion of the user's CPU while the user is navigating the site. Site owners can make money and support their business, but without peppering their visitors with annoying ads.

The idea got some traction, and two days after it launched The Pirate Bay ran it as a tes…

NiceHash: security breach leads to 60 million lost - Iceman is behind?

A dark day for crypto currency miners, NiceHash has been hacked. Closely to 60$ millions (4,736.42 BTC) have been stolen while the bitcoin is crossing the 14k$ mark for the first time.

The hacker's bitcoin address cleary shows the steal of  4,736.42 BTC in a window of 48 hours:

NiceHash users are furious by the time of reaction of the team. It took about 24 hours to realise that big amounts have been stolen.

I've contacted a member of Iceman and knowing this security breach for some reason he explained that NiceHash actually owned their users bitcoin wallets in order to save transactions fees and collect unclaimed BTC. This issue leads to a massive security breach which allow access to all NiceHash wallets. He claimed that by reverse engineering of their miner client, Iceman group was able to access their API. Is Iceman really behind this attack?

ICEMAN: Banks holes like in Cheese

Operation "Emmenthal" is the nickname for a grand-scale phishing campaign targeting bank clients. The goal of the campaign is to receive fraudulent payments by taking actions (e.g. money transfers) on behalf of the legitimate end user.

By phishing the victims with a mobile application which mimics the bank’s genuine application, the hackers steals the two-factor-authentication tokens used during the login (both user/passwords and SMS verification code) and then issuing money transfers by SMS Services offered by the bank, together with sending these sensitive credentials to the hackers infrastructure.

The ICEMAN group, which first came to knowing after contacting me to claim responsibility for the Banrisul Bank attack in Brazil, now claim they have committed many of the reported "Emmental" attacks as well. The hacker’s intentions and motives are shown at first in this exclusive interview.

What was your goal of the attack?

We need more bank accounts to sell. The b…