Attacks/Breaches

11/1/2017
05:39 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

'Silence' Trojan Mimics Carbanak to Spy, Steal from Banks

Attackers break into financial organizations and stay there to record employees' activities, steal data, and use it to steal, similar to the Carbanak group.

A new attack targeting financial institutions is leveraging techniques similar to those used by the Carbanak hacker group, report Kaspersky Lab researchers. The "Silence group," as it's being called, deploys the Silence Trojan after spending long periods of time in a target organization.

The goal is not to target the banks' customers, but the banks themselves, for financial gain.

Silence gains entry into financial businesses by tricking employees with spearphishing emails. Attackers often use email addresses belonging to employees of organizations they previously infected, and ask victims to open an account. From a legitimate address, it seems unsuspicious.

Bundled with the email is a malicious attachment, which attackers exploit to run payloads once the victim clicks it. This prompts a series of downloads and executes the dropper, which communicates with the C&C server and downloads and executes malicious modules to monitor victims through screen recording, data upload, credential theft, and remote control access.

The "monitoring and control" module records the victim by taking multiple screenshots of their active monitor to provide a real-time stream. A "screen activity gathering module" uses the Windows Graphics Device Interface (GDI) and Windows API to capture screen activity, putting together collected bitmaps to create a "pseudo-video stream" of the victim's activity, researchers explain.

From there, attackers lie in the network long enough to obtain sufficient data to steal money.

The Silence Trojan employs monitoring capabilities similar to those used by the Carbanak group, a cybercrime organization based in Eastern Europe. Carbanak also used spearphishing campaigns to target financial institutions, mostly in Russia with some in Denmark and the United States.

Using a remote Trojan backdoor, Carbanak spied, stole data, and gave remote access to infected machines. Spying gave the group information it needed to steal about $1 billion over two years from 100 different banks in 30 countries. Sergey Lozhkin, Kaspersky Lab security expert, compares the two:

"These operations utilize the following similar technique: they gain persistent access to internal banking networks for a long period, monitor its day-to-day activity, examine the details of each separate bank network and then use that knowledge to steal as much money as possible," he says.

"One strong similarity to Carbanak is the persistence to understand the victim's day-to-day activity and obtain enough information for eventual monetary gain."

Based on the language found during their research of the attack, experts conclude the threat actors behind Silence speak Russian. Most of Silence's victims have been Russian banks, though it has also infected businesses in Malaysia and Armenia. The attacks are still ongoing.

"The Silence Trojan is a fresh example of cybercriminals shifting from attacks on users to direct attacks on banks," says Lozhkin in a blog post on the discovery. "We have seen this trend growing recently, as more and more slick and professional APT-style cyber-robberies emerge and succeed."

This isn't the first time attackers have used strategies similar to Carbanak's. In October 2016, Symantec found a group of hackers targeting the SWIFT payments network with an advanced Trojan called Odinaff. The "Odinaff group" attempted to infiltrate several financial services and banking businesses. Some of their tools and infrastructure were similar to those in Carbanak campaigns.

Similar targets aside, the Odinaff group used three command-and-control IP addresses associated with old reported Carbanak campaigns. Experts said the Odinaff attackers could be part of Carbanak, or the two could be loosely affiliated.

"The best way to prevent attackers from finding and leveraging security holes, is to eliminate the holes altogether," Kaspersky researchers write, highlighting the common flaws of improper system configurations and errors in proprietary applications.

Researchers did not confirm whether the Silence Trojan was created by a spinoff of the Carbanak group, or another group copying its tools and techniques. The discovery also did not imply any direct connections between Carbanak and another threat actor group.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
Getting Up to Speed with "Always-On SSL"
Tim Callan, Senior Fellow, Comodo CA,  10/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.