Banks in U.K., India and South Korea Among Those Targeted, Researchers Warn.
A cybercrime gang that has targeted banks and ATMs in Russia and other Eastern European countries is beginning to expand its reach to other regions, security researchers warn.
The gang, known as Silence because of the long period of time between its attacks, was first spotted in 2016. Its cybercrimes, including ATM jackpotting or “cash out” schemes, have netted the gang at least $800,000 so far, according to researchers and published reports.
Until recently, the group’s activity appears to have been mainly confined to Russia and some countries within the so-called CIS or SF2, a group of former Soviet Union states that include Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Turkmenistan, Ukraine and Uzbekistan.
Now, however, the Silence group, which may only involve two individuals, appears to be expanding into Western Europe and Asia, according to researchers.
“What we see now is that Silence shifted their focus from the CIS and neighboring countries to international markets,” Rustam Mirkasymov, head of the dynamic analysis department at security firm Group-IB, tells Information Security Media Group.
Group-IB has been tracking the stealthy group for several years.
“According to Group-IB’s threat intelligence, the group’s latest campaigns were targeted at banks and financial organizations in the U.K., India and South Korea,” Mirkasymov says. “Asia particularly draws cybercriminals’ attention: Group-IB is aware of at least one successful attack in Asia.”
Since the end of 2018, Silence has started changing its communication protocols and obfuscating malware to avoid detection, Mirkasymov says. The gang also has adjusted its infrastructure to make it more difficult for researchers to track it or tie it to specific attacks, he adds.
Silence’s success is based on patience and careful target selection, as well as using “living-off-the-land” techniques and its own set of malicious tools, according to researchers at FortiGuard Labs, the threat research arm of Fortinet.
“Living off the land essentially entails the attackers using tools and commands already built into the operating system itself, such as [Microsoft] PowerShell or wscript [Windows Script Host],” researchers with the FortiGuard Labs’ SE research team tell ISMG. “One thing to note is that each scenario is different for living-off-the-land techniques.
“Once the attacker is in the target environment, they will use various tools tailored to their specific needs. One group may have the need to download additional payloads via PowerShell, another may just need to steal credentials and another group may have the need to be completely destructive and just wipe out data completely.”
From Phishing to Jackpotting
The Silence group also uses spear phishing to target victims and steal passwords and other credentials to gain initial entry into a network, the FortiGuard researchers say. Its emails typically contain a malicious Microsoft Word document or a Microsoft-compiled html help – aka CHM – file that gets sent to bank employees with the goal of tricking them into clicking on a link, the researchers have found.
If the targeted victim clicks on the link, a malicious script contacts a server while running in the background. This script starts the second stage attack by executing a file from the attacker’s server to the targeted machine, FortiGuard researchers report.
From here, this obfuscated Visual Basic Script file is executed within a browser window inside the help file directory, where it then de-obfuscates and executes a PowerShell command. This command calls to another server to retrieve a binary file, which then decrypts into a third-stage downloader, according to the researchers.
Screenshot of Proxy Module (Source: FortiGuard)
This third and final download is the Silence custom payload that contains several modules, including the main Silence module, a proxy module, a monitoring agent module and an ATM module. Depending on the stage of the attack, one or all of these might be functioning within the infected network, the research team notes.
The Fortiguard researchers say all of the modules work in slightly different ways:
- Main module: This enables the Silence group to control all the aspects of the attack, including resetting everything and reconnecting to the command-and-control server if necessary.
- Proxy module: There are actually two different proxies written in two different languages: Delphi and .Net. These can allow the attackers to jump to a different network or dig deeper into the target bank’s network.
- Monitor module: This enables the gang to spy on the network by taking screens shots at various intervals. It gives the group almost a video stream look at the network.
- ATM module: Also known as “Atmosphere,” this module allows Silence to cash out an ATM. The module searches for a legitimate function called “atmapp.exe” that is proprietary ATM software. Atmosphere then injects a dynamic link library file into the code, which then takes over the ATM.
Once the code has been injected, the researchers suspect that a money mule travels to the ATM to cash out the funds – thus committing the actual jackpotting.
Expect New Tactics
With its apparent expansion into Western Europe and Asia, security researchers believe that Silence will not only continue to refine its tactics, but also update its custom toolsets.
“We don’t have hard numbers, but we can safely surmise that the bad actors behind this are aware of the new detections and signatures going out on their samples and are actively testing their files against VirusTotal and other scanners continuously,” the FortiGuard researchers say.
To read the origianl article: