Search This Blog

Powered by Blogger.

Blog Archive

Labels

The new Silence Trojan on the loose

In September 2017, Kaspersky Lab’s GReAT investigation team found a new trojan that was deployed to aid cyber-heists of banks in Russia, Armenia, and Malaysia. Experts named the new trojan Silence.

The Russian hacking group has hit at least ten banks across the world with a piece of malware that opens up access to infected computers to compromise banking networks. The attacks are still ongoing.

The attackers used a known but still very effective technique for cybercriminals looking to make money: gaining persistent access to an internal banking network for a long period of time, making video recordings of the day to day activity on bank employees’ PCs, learning how things work in their target banks, what software is being used, and then using that knowledge to steal as much money as possible when ready.
The security outfit says that Silence joins the ranks of the most devastating and complex cyber-robbery operations like Metel, GCMAN and Carbanak, which have succeeded in stealing millions of dollars from financial organisations.

While there are no clues to link the trojan to the infamous Carbanak gang (hacker group specialized in robbing banks), the attacker's mode of operation resembles some past Carbanak techniques. The infection vector is a spear-phishing email with a malicious attachment. An interesting point in the Silence attack is that the cybercriminals had already compromised banking infrastructure in order to send their spear-phishing emails from the addresses of real bank employees, along with a request to open a bank account. The message looks like a routine request and looks as unsuspicious as possible to future victims.

At this point, the Silence attacks could be a new Carbanak operation or the work of copycats that modelled their modus operandi based on Carbanak reports released by cyber-security firms.

Experts were able to piece together how an attack with the Silence trojan works. This can be done with malware or because the employee had reused passwords from accounts included in publicly leaked datasets.
Share it: