Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/1/2017
05:39 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

'Silence' Trojan Mimics Carbanak to Spy, Steal from Banks

Attackers break into financial organizations and stay there to record employees' activities, steal data, and use it to steal, similar to the Carbanak group.

A new attack targeting financial institutions is leveraging techniques similar to those used by the Carbanak hacker group, report Kaspersky Lab researchers. The "Silence group," as it's being called, deploys the Silence Trojan after spending long periods of time in a target organization.

The goal is not to target the banks' customers, but the banks themselves, for financial gain.

Silence gains entry into financial businesses by tricking employees with spearphishing emails. Attackers often use email addresses belonging to employees of organizations they previously infected, and ask victims to open an account. From a legitimate address, it seems unsuspicious.

Bundled with the email is a malicious attachment, which attackers exploit to run payloads once the victim clicks it. This prompts a series of downloads and executes the dropper, which communicates with the C&C server and downloads and executes malicious modules to monitor victims through screen recording, data upload, credential theft, and remote control access.

The "monitoring and control" module records the victim by taking multiple screenshots of their active monitor to provide a real-time stream. A "screen activity gathering module" uses the Windows Graphics Device Interface (GDI) and Windows API to capture screen activity, putting together collected bitmaps to create a "pseudo-video stream" of the victim's activity, researchers explain.

From there, attackers lie in the network long enough to obtain sufficient data to steal money.

The Silence Trojan employs monitoring capabilities similar to those used by the Carbanak group, a cybercrime organization based in Eastern Europe. Carbanak also used spearphishing campaigns to target financial institutions, mostly in Russia with some in Denmark and the United States.

Using a remote Trojan backdoor, Carbanak spied, stole data, and gave remote access to infected machines. Spying gave the group information it needed to steal about $1 billion over two years from 100 different banks in 30 countries. Sergey Lozhkin, Kaspersky Lab security expert, compares the two:

"These operations utilize the following similar technique: they gain persistent access to internal banking networks for a long period, monitor its day-to-day activity, examine the details of each separate bank network and then use that knowledge to steal as much money as possible," he says.

"One strong similarity to Carbanak is the persistence to understand the victim's day-to-day activity and obtain enough information for eventual monetary gain."

Based on the language found during their research of the attack, experts conclude the threat actors behind Silence speak Russian. Most of Silence's victims have been Russian banks, though it has also infected businesses in Malaysia and Armenia. The attacks are still ongoing.

"The Silence Trojan is a fresh example of cybercriminals shifting from attacks on users to direct attacks on banks," says Lozhkin in a blog post on the discovery. "We have seen this trend growing recently, as more and more slick and professional APT-style cyber-robberies emerge and succeed."

This isn't the first time attackers have used strategies similar to Carbanak's. In October 2016, Symantec found a group of hackers targeting the SWIFT payments network with an advanced Trojan called Odinaff. The "Odinaff group" attempted to infiltrate several financial services and banking businesses. Some of their tools and infrastructure were similar to those in Carbanak campaigns.

Similar targets aside, the Odinaff group used three command-and-control IP addresses associated with old reported Carbanak campaigns. Experts said the Odinaff attackers could be part of Carbanak, or the two could be loosely affiliated.

"The best way to prevent attackers from finding and leveraging security holes, is to eliminate the holes altogether," Kaspersky researchers write, highlighting the common flaws of improper system configurations and errors in proprietary applications.

Researchers did not confirm whether the Silence Trojan was created by a spinoff of the Carbanak group, or another group copying its tools and techniques. The discovery also did not imply any direct connections between Carbanak and another threat actor group.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
More SolarWinds Attack Details Emerge
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/12/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7343
PUBLISHED: 2021-01-18
Missing Authorization vulnerability in McAfee Agent (MA) for Windows prior to 5.7.1 allows local users to block McAfee product updates by manipulating a directory used by MA for temporary files. The product would continue to function with out-of-date detection files.
CVE-2020-28476
PUBLISHED: 2021-01-18
All versions of package tornado are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configura...
CVE-2020-28473
PUBLISHED: 2021-01-18
The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with defa...
CVE-2021-25173
PUBLISHED: 2021-01-18
An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory allocation with excessive size vulnerability exists when reading malformed DGN files, which allows attackers to cause a crash, potentially enabling denial of service (crash, exit, or restart).
CVE-2021-25174
PUBLISHED: 2021-01-18
An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory corruption vulnerability exists when reading malformed DGN files. It can allow attackers to cause a crash, potentially enabling denial of service (Crash, Exit, or Restart).