Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/1/2017
05:39 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

'Silence' Trojan Mimics Carbanak to Spy, Steal from Banks

Attackers break into financial organizations and stay there to record employees' activities, steal data, and use it to steal, similar to the Carbanak group.

A new attack targeting financial institutions is leveraging techniques similar to those used by the Carbanak hacker group, report Kaspersky Lab researchers. The "Silence group," as it's being called, deploys the Silence Trojan after spending long periods of time in a target organization.

The goal is not to target the banks' customers, but the banks themselves, for financial gain.

Silence gains entry into financial businesses by tricking employees with spearphishing emails. Attackers often use email addresses belonging to employees of organizations they previously infected, and ask victims to open an account. From a legitimate address, it seems unsuspicious.

Bundled with the email is a malicious attachment, which attackers exploit to run payloads once the victim clicks it. This prompts a series of downloads and executes the dropper, which communicates with the C&C server and downloads and executes malicious modules to monitor victims through screen recording, data upload, credential theft, and remote control access.

The "monitoring and control" module records the victim by taking multiple screenshots of their active monitor to provide a real-time stream. A "screen activity gathering module" uses the Windows Graphics Device Interface (GDI) and Windows API to capture screen activity, putting together collected bitmaps to create a "pseudo-video stream" of the victim's activity, researchers explain.

From there, attackers lie in the network long enough to obtain sufficient data to steal money.

The Silence Trojan employs monitoring capabilities similar to those used by the Carbanak group, a cybercrime organization based in Eastern Europe. Carbanak also used spearphishing campaigns to target financial institutions, mostly in Russia with some in Denmark and the United States.

Using a remote Trojan backdoor, Carbanak spied, stole data, and gave remote access to infected machines. Spying gave the group information it needed to steal about $1 billion over two years from 100 different banks in 30 countries. Sergey Lozhkin, Kaspersky Lab security expert, compares the two:

"These operations utilize the following similar technique: they gain persistent access to internal banking networks for a long period, monitor its day-to-day activity, examine the details of each separate bank network and then use that knowledge to steal as much money as possible," he says.

"One strong similarity to Carbanak is the persistence to understand the victim's day-to-day activity and obtain enough information for eventual monetary gain."

Based on the language found during their research of the attack, experts conclude the threat actors behind Silence speak Russian. Most of Silence's victims have been Russian banks, though it has also infected businesses in Malaysia and Armenia. The attacks are still ongoing.

"The Silence Trojan is a fresh example of cybercriminals shifting from attacks on users to direct attacks on banks," says Lozhkin in a blog post on the discovery. "We have seen this trend growing recently, as more and more slick and professional APT-style cyber-robberies emerge and succeed."

This isn't the first time attackers have used strategies similar to Carbanak's. In October 2016, Symantec found a group of hackers targeting the SWIFT payments network with an advanced Trojan called Odinaff. The "Odinaff group" attempted to infiltrate several financial services and banking businesses. Some of their tools and infrastructure were similar to those in Carbanak campaigns.

Similar targets aside, the Odinaff group used three command-and-control IP addresses associated with old reported Carbanak campaigns. Experts said the Odinaff attackers could be part of Carbanak, or the two could be loosely affiliated.

"The best way to prevent attackers from finding and leveraging security holes, is to eliminate the holes altogether," Kaspersky researchers write, highlighting the common flaws of improper system configurations and errors in proprietary applications.

Researchers did not confirm whether the Silence Trojan was created by a spinoff of the Carbanak group, or another group copying its tools and techniques. The discovery also did not imply any direct connections between Carbanak and another threat actor group.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4019
PUBLISHED: 2020-06-01
The file editing functionality in the Atlassian Companion App before version 1.0.0 allows local attackers to have the app run a different executable in place of the app's cmd.exe via a untrusted search path vulnerability.
CVE-2020-4020
PUBLISHED: 2020-06-01
The file downloading functionality in the Atlassian Companion App before version 1.0.0 allows remote attackers, who control a Confluence Server instance that the Companion App is connected to, execute arbitrary .exe files via a Protection Mechanism Failure.
CVE-2020-4021
PUBLISHED: 2020-06-01
Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the XML export view.
CVE-2020-4023
PUBLISHED: 2020-06-01
The review coverage resource in Atlassian Fisheye and Crucible before version 4.8.2 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting (XSS) vulnerability through the committerFilter parameter.
CVE-2020-4013
PUBLISHED: 2020-06-01
The review resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting (XSS) vulnerability through the review objectives.