Friday, November 1, 2024
HomeComputer SecuritySilence Hacker Group Attack on Banks Around the World with new Tactics...

Silence Hacker Group Attack on Banks Around the World with new Tactics and Attack Tools

Published on

Malware protection

The silence hacker group is one of the most active threat actors group that targets financial sectors. The group initially attacks banks in Russia and now the group expanded its geography.

According to the report shared by Group-IB with GBHackers on Security, the hacker group has infected more than 30 countries across America, Europe, Africa, and Asia.

The group also made a number of changes to their toolset to stay undetected by security tools and they have also made changes to their encryption alphabets, string encryption, and commands for the bot and the main module.

It was believed that the group has stolen more than 4.2 million US dollars between June 2016 to June 2019. the group actively targets financial sectors.

- Advertisement - SIEM as a Service

Silence Group Campaigns

Silence group also uses phishing as an attack vector, the email sent by the silence group includes a picture or a link without a malicious payload and the email has been sent to over 85,000 users.

Starting from October 2018, the group started sending reconnaissance emails to get an updated list of the active email address and to obtain cybersecurity tools used in the companies.

Silence
Silence Group Email

Silence has conducted at least three campaigns using recon emails, the campaigns were no longer focused just on Russia and former Soviet countries, but spread across Asia and Europe. The Hacker group has sent more than 170,000 recon emails.

Silence Group Recon Emails

Tools and Tactics

The group uses almost the same tactics, they still use Microsoft Office documents with macros or exploits, CHM files, and.LNK shortcuts as malicious attachments.

“Threat actors have completely rewritten TrueBot loader, the first-stage module, on which the success of the group’s entire attack depends. The hackers also started using Invoke, a fileless loader, and EDA agent, both written in PowerShell.”

Silence
Silence Group Email Attack Stages

The attack success depends on the initial infection, the primary loader is Silence.Downloader (aka TrueBot), Group-IB also observed the threat actors fileless PowerShell loader called Ivoke.

Silence.Main is the primary payload that contains a full set of C&C commands that required to control the compromised computer and to download additional modules.

With the recent attacks, Silence group downloads a PowerShell agent based on the opensource projects Empire and dnscat2, along with that the group also downloads other proxy services to hide the C&C communication.

Silence
Silence Group Tools and Attacks

The final stage of the attack is to gain control over ATMs, the group uses Atmosphere Trojan which was designed by them or another program called xfs-disp.exe to dispense cash from ATMs.

Group-IB analysis revealed that FlawedAmmyy.Downloader and Silence.Downloader is developed by the same person and the developer is a Russian speaker and works actively on underground platforms. Researchers also believed the developer linked to attacks by TA505.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...