Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/1/2017
05:39 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

'Silence' Trojan Mimics Carbanak to Spy, Steal from Banks

Attackers break into financial organizations and stay there to record employees' activities, steal data, and use it to steal, similar to the Carbanak group.

A new attack targeting financial institutions is leveraging techniques similar to those used by the Carbanak hacker group, report Kaspersky Lab researchers. The "Silence group," as it's being called, deploys the Silence Trojan after spending long periods of time in a target organization.

The goal is not to target the banks' customers, but the banks themselves, for financial gain.

Silence gains entry into financial businesses by tricking employees with spearphishing emails. Attackers often use email addresses belonging to employees of organizations they previously infected, and ask victims to open an account. From a legitimate address, it seems unsuspicious.

Bundled with the email is a malicious attachment, which attackers exploit to run payloads once the victim clicks it. This prompts a series of downloads and executes the dropper, which communicates with the C&C server and downloads and executes malicious modules to monitor victims through screen recording, data upload, credential theft, and remote control access.

The "monitoring and control" module records the victim by taking multiple screenshots of their active monitor to provide a real-time stream. A "screen activity gathering module" uses the Windows Graphics Device Interface (GDI) and Windows API to capture screen activity, putting together collected bitmaps to create a "pseudo-video stream" of the victim's activity, researchers explain.

From there, attackers lie in the network long enough to obtain sufficient data to steal money.

The Silence Trojan employs monitoring capabilities similar to those used by the Carbanak group, a cybercrime organization based in Eastern Europe. Carbanak also used spearphishing campaigns to target financial institutions, mostly in Russia with some in Denmark and the United States.

Using a remote Trojan backdoor, Carbanak spied, stole data, and gave remote access to infected machines. Spying gave the group information it needed to steal about $1 billion over two years from 100 different banks in 30 countries. Sergey Lozhkin, Kaspersky Lab security expert, compares the two:

"These operations utilize the following similar technique: they gain persistent access to internal banking networks for a long period, monitor its day-to-day activity, examine the details of each separate bank network and then use that knowledge to steal as much money as possible," he says.

"One strong similarity to Carbanak is the persistence to understand the victim's day-to-day activity and obtain enough information for eventual monetary gain."

Based on the language found during their research of the attack, experts conclude the threat actors behind Silence speak Russian. Most of Silence's victims have been Russian banks, though it has also infected businesses in Malaysia and Armenia. The attacks are still ongoing.

"The Silence Trojan is a fresh example of cybercriminals shifting from attacks on users to direct attacks on banks," says Lozhkin in a blog post on the discovery. "We have seen this trend growing recently, as more and more slick and professional APT-style cyber-robberies emerge and succeed."

This isn't the first time attackers have used strategies similar to Carbanak's. In October 2016, Symantec found a group of hackers targeting the SWIFT payments network with an advanced Trojan called Odinaff. The "Odinaff group" attempted to infiltrate several financial services and banking businesses. Some of their tools and infrastructure were similar to those in Carbanak campaigns.

Similar targets aside, the Odinaff group used three command-and-control IP addresses associated with old reported Carbanak campaigns. Experts said the Odinaff attackers could be part of Carbanak, or the two could be loosely affiliated.

"The best way to prevent attackers from finding and leveraging security holes, is to eliminate the holes altogether," Kaspersky researchers write, highlighting the common flaws of improper system configurations and errors in proprietary applications.

Researchers did not confirm whether the Silence Trojan was created by a spinoff of the Carbanak group, or another group copying its tools and techniques. The discovery also did not imply any direct connections between Carbanak and another threat actor group.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7989
PUBLISHED: 2020-01-26
Adive Framework 2.0.8 has admin/user/add userUsername XSS.
CVE-2020-7990
PUBLISHED: 2020-01-26
Adive Framework 2.0.8 has admin/user/add userName XSS.
CVE-2020-7991
PUBLISHED: 2020-01-26
Adive Framework 2.0.8 has admin/config CSRF to change the Administrator password.
CVE-2020-7984
PUBLISHED: 2020-01-26
SolarWinds N-central before 12.1 SP1 HF5 and 12.2 before SP1 HF2 allows remote attackers to retrieve cleartext domain admin credentials from the Agent & Probe settings, and obtain other sensitive information. The attacker can use a customer ID to self register and read any aspects of the agent/a...
CVE-2019-16029
PUBLISHED: 2020-01-26
A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. Th...