A cybercrime gang called Silence targeted at least 10 banks in Russia, Armenia, and Malaysia borrowing hacking techniques from the dreaded Carbanak hacker group that stole as much as $1 billion from banks worldwide.
The Silence gang was uncovered by researchers at Kaspersky Lab who speculate it is imitating the notorious Carbanak group.
“In September 2017, we discovered a new targeted attack on financial institutions. Victims are mostly Russian banks but we also found infected organizations in Malaysia and Armenia. The attackers were using a known but still very effective technique for cybercriminals looking to make money: gaining persistent access to an internal banking network for a long period of time, making video recordings of the day to day activity on bank employees’ PCs, learning how things works in their target banks, what software is being used, and then using that knowledge to steal as much money as possible when ready.” states the report published by Kaspersky.
“We saw that technique before in Carbanak, and other similar cases worldwide.”
The attackers leverage spear-phishing emails with a malicious attachment, the experts pointed out that the Silence group first compromised banking infrastructure in order to send the messages from the addresses of bank employees.
At the time, experts from Kaspersky have no information on how much the Silence group had stolen to date, they confirmed the attacks are still ongoing.
The hackers use legitimate administration tools to fly under the radar making hard the detection of the fraudulent activities.
“This kind of attack has become widespread in recent years, which is a very worrisome trend as it demonstrates that criminals are successful in their attacks.” states Kaspersky Lab.
“The spear-phishing infection vector is still the most popular way to initiate targeted campaigns. When used with already compromised infrastructure, and combined with .chm attachments, it seems to be a really effective way of spreading, at least among financial organizations.”
The group used backdoors to gain persistence on the targeted banks and monitor operations of its employees, the malicious code allows them to upload data, steal credentials, record the screen like the Carbanak does.
Screen grabs allow cyber criminals to create a video recording of daily activity on employees’ computers, such kind of information is essential for the cyber heists.
Once the dropper is unpacked and executed from the C&C, a number of payload modules are dropped that allow the attackers to spy on the internal staff of the targeted banks.
One of those modules is the screen monitor, which leveraged the Windows GDI and API tools to create a pseudo-video stream of the victim’s activity by putting together all the collected bitmaps.
Further details are available in the report, including Indicators of Compromise.
Kaspersky will continue to monitor the Silence Group.