The Silence hacking crew grows louder

The Silence crew is making a lot more noise. The Russian-speaking hacking group, which specialises in stealing from banks, has been spreading its coverage and becoming more sophisticated, according to a new report from cybersecurity company Group-IB.

It follows a report from the company last year which was the first to identify and analyse the Silence group. You can find both reports here.

Group-IB characterises Silence as a young and relatively immature hacking group that draws on the tools and techniques of others, learning from them and adapting them to its own needs. It has been traditionally cautious, waiting an average of three months between attacks.

That hasn’t stopped it profiting, though. A string of heists has bought the group’s total ill-gotten gains to $4.2m as of this month. As it evolves, the group has been broadening its geographical reach and developing new malware to refine its techniques, the report says.

It has also added a new step to its hacking process: a reconnaissance mail. Since late last year, it has started sending emails to potential targets containing a benign image or link. This helps it update its active target list and detect any scanning technologies that the victims use.

Then, armed with a list of valid addresses, it sends them a malicious email. It can carry Microsoft Office documents with malicious macros, CHM files (Compiled HTML, often used by Microsoft’s help system) or .LNKs (a link to an executable file). Successful exploits install the group’s malware loader, Silence.Downloader (aka TrueBot). It has rewritten this loader to build encryption into some of the communication protocol with the command and control (C2) server.

More recently, the group has begun using a fileless loader called Ivoke, written in PowerShell. Silence began using fileless techniques later than other groups, showing that they are studying and then modifying other groups’ techniques, Group-IB said.

These loaders send information about the infected system to a C2 server, which prompts a manual command from the operator. They install either Silence.Main, a modular trojan that controls the victim’s computer and is updated from a Windows C2 server, or another newer trojan called EDA. EDA illustrates the group’s willingness to stand on the shoulders of giants – it is based on two open-source projects, Empire and dnscat2, which are both tools designed for penetration testing.

The group also uses a range of tools enabling it to move laterally across the victim’s network and to control ATM machines.

Going global

Silence began by targeting Russian organisations but then shifted to former Soviet countries. Since Group-IB’s first report, Silence has turned its attention to the rest of the world. Last November, it hit targets in 12 Asian countries, leading with Taiwan, Malaysia and South Korea. It also sent recon emails – although in smaller numbers – to British targets in October, followed by a malicious mail campaign against financial institutions in the UK on 4 January 2019.

However, it is still active in Russia and the former USSR, sending out 84,000 emails in Russia alone between 16 October 2018 and 1 January 2019.

In February, it managed to pilfer 25m roubles ($400,000) from the IT Bank in Omsk, Russia. This followed a phishing campaign in which it mailed malicious attachments to bank employees inviting them to the International Financial Forum.

In May, seven men wearing masks took $3m from ATMs at Dutch-Bangla bank in Bangladesh. That was a landmark heist for the group, because it was the first time that it had used Ivoke. They made phone calls when at the ATM, prompting a third party to send a command that dispensed cash from the machine, indicating that the machines were remotely controlled using Atmosphere, an ATM malware tool that has become Silence’s stock in trade.

Police arrested six of these mules, all Ukranian, who had flown in the previous day. Group-IB said:

The arrests of their money mules in Bangladesh did not slow the group down, and the hackers continued to expand their geography.

Most recently in July, the group successfully attacked banks in Chile, Bulgaria, Costa Rica, and Ghana. This was the first time it used the EDA trojan.

One significant nugget from the report is that the group was able to impersonate a real bank when testing its Russian addresses in a mass reconnaissance email campaign on 18 October 2018. This was because the real bank wasn’t using the sender policy framework (SPF), a key technology that helps prevent phishing. The moral of that story? Implement SPF for your domain. It’s like a vaccination – it’s for the good of the herd.