Skip to main content

Woburn, MA – November 1, 2017 – Kaspersky Lab researchers have identified a series of targeted attacks against at least 10 financial organizations in multiple regions, including Russia, Armenia and Malaysia, being performed by a new group called Silence. First discovered in September 2017, Silence implements specific techniques similar to the infamous threat actor, Carbanak. The attacks are still ongoing.

Silence joins the ranks of the most devastating and complex cyber-robbery operations like Metel, GCMAN and Carbanak, which have succeeded in stealing millions of dollars from financial organizations. Most of these operations utilize the following technique: they gain persistent access to internal banking networks for a long period, monitor its day to day activity, examine the details of each separate bank network and then when the time is right, they use that knowledge to steal as much money as possible.

This is the case with Silence Trojan, which compromises its victim’s infrastructure via spear phishing emails. Once the victim opens the sophisticated malicious attachments via email, it takes just one click to initiate a series of downloads and finally execute the dropper. This communicates with the command and control server, sends the ID of the infected machine, then downloads and executes malicious payloads, responsible for various tasks like screen recording, data uploading, the theft of credentials, remote control access, etc.

The criminals exploit the infrastructure of already infected financial institutions for new attacks by sending emails from real employee aliases to a new victim, along with a request to open a bank account. Through this technique, criminals ensure the recipient is unsuspicious of the infection vector.

When cybercriminals gain persistence in the network they start to examine it. The Silence group is capable of monitoring its victims’ activities, including taking multiple screenshots of the victim’s active screen, providing a real-time video stream of all the victim’s activities and more. All of the features serve one purpose: to understand the victim’s day-to-day activity and obtain enough information to eventually steal money. This process and style strongly resembles the techniques used by Carbanak.

Based on language artifacts found during their research into the malicious components of this attack, Kaspersky Lab security researchers have concluded that the criminals behind the malicious Silence attacks speak Russian.

“The Silence Trojan is a fresh example of cybercriminals shifting from attacks on users to direct attacks on banks. We have seen this trend growing recently, as more and more slick and professional APT-style cyber-robberies emerge and succeed,” said Sergey Lozhkin, security expert, Kaspersky Lab. “The most worrying thing here is that due to their in-the-shadow approach, these attacks may succeed regardless of the peculiarities of each bank’s security architecture.”

Kaspersky Lab researchers advise organizations to take the following measures, in order to protect themselves from possible cyberattacks:

  • Use a specialized solution against advanced threats that can detect all types of anomalies and scrutinize suspicious files at a deeper level to reveal, recognize and uncover complex attacks – like Kaspersky Anti Targeted Attack Platform.
  • Eliminate security holes altogether, including those involving improper system configurations or errors in proprietary applications. For this, Kaspersky Penetration Testing and Application Security Assessment services are a convenient and highly effective solution, providing not only data on found vulnerabilities, but also advising users on how to fix it, further strengthening corporate security.
  • Configure strict email processing rules and enable security solutions with dedicated functionality aimed at phishing, malicious attachments and spam – for example, cloud-assisted anti-phishing and attachment-filtering in Kaspersky Endpoint Security and targeted security solutions for email protection.

Find more about Silence Trojan and indicators of compromise on Securelist.com.

More information about Silence Trojan is available to customers of Kaspersky Intelligence Reporting Service by contacting intelreports@kaspersky.com.

About Kaspersky Lab

Kaspersky Lab is a global cybersecurity company celebrating its 20 year anniversary in 2017. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next generation security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

For the latest in-depth information on security threat issues and trends, please visit:

Securelist | Information about Viruses, Hackers and Spam
Follow @Securelist on Twitter

Threatpost | The First Stop for Security News
Follow @Threatpost on Twitter

Media Contact
Sarah Kitsos 
781.503.2615
sarah.kitsos@kaspersky.com

Kaspersky Lab identifies Silence Trojan, a hacking group similar to Carbanak targeting financial organizations

Woburn, MA – November 1, 2017 – Kaspersky Lab researchers have identified a series of targeted attacks against at least 10 financial organizations in multiple regions, including Russia, Armenia and Malaysia, being performed by a new group called Silence.
Kaspersky Logo