Anti-Phishing, DMARC , ATM / POS Fraud , Cybercrime

Scrappy 'Silence' Cybercrime Gang Refines Its Bank Attacks

Two-Person Gang Is Picking Up After Decline in Cobalt Attacks, Researchers Warn
Scrappy 'Silence' Cybercrime Gang Refines Its Bank Attacks
Malicious "Contract.docx" document attached to phishing messages tied to the "Silence" cybercrime gang (Source: Group-IB)

A cybercrime gang called "Silence," which appears to have just two members, has been tied to attacks that have so far stolen at least $800,000, in part via ATM jackpotting or "cash out" attacks, warns Moscow-based cybersecurity firm Group-IB. Information security researchers have been tracking the gang since 2016, the company says.

See Also: Strengthening Microsoft 365 with Human-centric Security

"The group was named 'Silence' because of long pauses between their operations and low activity during the attacks," Rustam Mirkasymov, Group-IB's head of dynamic analysis of malicious code, tells Information Security Media Group.

The name was first applied to the attackers by Kaspersky Lab, based on its name for a backdoor they used. Last November, the security firm published a technical analysis of the tool as well as attacks that utilized it.

"The cybercriminals using Silence send spear-phishing emails as initial infection vectors, often using the addresses of employees of an already infected financial institution, with a request to open an account in the attacked bank," Kaspersky Lab said in its report. "The message looks like a routine request. Using this social engineering trick, it looks unsuspicious to the receiver."

Russian-language phishing email tied to "Silence" attacks (Source: Kaspersky Lab)

Researchers say the gang's phishing emails typically include an attached, malicious Microsoft Word document.

If attackers succeeded in duping a victim into opening the attachment, it would appear as a dropper that downloads additional malware onto the PC, including the ability to grab screenshots of the victim's PC, which attackers use to make "video recordings of the day-to-day activity on bank employees' PCs, learning how things works in their target banks, what software is being used, and then using that knowledge to steal as much money as possible when ready," Kaspersky Lab said.

As of September 2017, attacks tied to the group had compromised up to 10 banks in Russia, Armenia and Malaysia, Kaspersky Lab said, noting that such attacks remained ongoing.

Cobalt's Decline

Until earlier this year, the Cobalt gang appeared to be the dominant Russian cybercrime group. The group had been tied to the theft of as much as $1.2 billion from banks in 40 countries over a two-year period - at least until one of its alleged members was arrested in Spain in March.

Since then, researchers have seen a decline in attacks attributed to Cobalt. Meanwhile, Silence has become "one of the major threats to Russian and international banks," Group-IB says.

Silence's early attacks were amateurish, Group-IB reports. But it says the group's two members - one a developer, the other an operator who appears to have penetration testing experience - have been growing more sophisticated with each new attack campaign.

"Many of Silence's tools are legitimate; others they developed themselves and learn from other gangs," says Dmitry Volkov, Group-IB's CTO and head of threat intelligence (see Cybercrime as a Service: Tools + Knowledge = Profit).

"After having studied Silence's attacks, we concluded that they are most likely white hats evolving into black hats," who make ample use of all the cybercrime-as-a-service economy has to offer, he adds.

"The internet, particularly the underground web, favors this kind of transformation; it is far easier now to become a cybercriminal than five to seven years ago," Volkov says. "You can rent servers, modify existing exploits and use legal tools. It makes things more complicated for blue [good guy] teams and much easier for hackers."

The gang's scant manpower also "explains why they are so selective in their attack targets, and why it takes them so long - up to 3 months, which is at least three times longer than Anunak, Buhtrap, MoneyTaker and Cobalt - to commit a theft," Group-IB says, referring to other cybercrime gangs that, like Silence, appear to be run by Russian-speaking hackers.

Phishing Tactics

Group-IB says the gang initially delivered phishing attacks via hacked servers as well as legitimate but compromised email accounts. Later, the gang graduated to registering its own phishing domains, backed by self-signed certificates to give them an air of authenticity. "Silence designs very well-crafted phishing emails usually purporting to be from bank employees," Group-IB says.

"To conduct their phishing campaigns, the hackers rent servers in Russia and the Netherlands. Silence also uses Ukraine-based hosting services to rent servers to use as [malware command-and-control] servers. A number of servers were rented at MaxiDed, whose infrastructure was blocked by Europol in May."

Europol is the EU's law enforcement intelligence agency (see Criminals Hide 'Billions' in Cryptocurrency, Europol Warns).

Silence's Tools

Group-IB's Mirkasymov says the tools that the Silence gang has used have included:

  • Silence: A framework for attacking banks' infrastructure, including card-processing systems and ATMs. It includes a backdoor, surveillance module and botnet proxy.
  • Atmosphere: A set of software for 'jackpotting' ATMs, as named by the Silence gang's developer.
  • Farse: A utility for getting passwords from an infected computer, again as named by the Silence gang's developer.
  • Cleaner: A tool for deleting remote-connection logs, as named by Group-IB.

The gang has also used several tools that it obtained from external sources, Group-IB says:

  • Kikothac: A backdoor that the Silence gang initially standalone used and later added into its Silence framework.
  • Smoke: A bot designed to initially infect PCs and serve as a dropper that installs more malware, installed via emails with malicious JavaScript. The bot has been in circulation since 2011. "The seller is a Russian-speaking hacker named SmokeLdr."
  • Undernet DDoS bot: The group has modified this Perl IRC DDoS bot, which it uses for conducting its own DDoS attacks. The script was first mentioned on a Spanish-language cybercrime forum in 2014.
Source: Group-IB

Attack Campaigns

Group-IB says Silence's attacks so far have targeted institutions in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. But it notes that the gang's phishing emails have been sent to bank employees across in central and western Europe, as well as Africa and Asia.

To date, the security firm has definitively attributed five separate attack campaigns to Silence:

  • 2016: The gang attempted to withdraw money from a hacked institution via AWS CBR - the Automated Work Station Client of the Russian Central Bank. "However, due to some errors in payment orders, the theft was successfully prevented," Group-IB says.
  • 2017: The gang waged attacks on ATMs, including one theft that resulted in $100,000 being stolen in the course of one evening.
  • August 2017: The National Bank of Ukraine warns state-owned and private banks to beware a large-scale phishing attack. "We believe that the message was the result of a phishing campaign by Silence against banks in Ukraine, Kazakhstan, and Russia," Group-IB says.
  • February 2018: The gang stole $550,000 in cash over the course of a weekend by hacking card processing systems and cashing out the attacks via ATMs.
  • April 2018: In a similar attack, the group stole $150,000 via ATMs. Compared to earlier attacks, however, "Silence's tools had been significantly modified: they were not burdened with redundant features and ran stably without bugs," Group-IB says in a report on the group.

Beyond those attacks, Group-IB says that it believes that there "there have been other successful attacks on banks" also carried out by the group, noting that the pace of its attacks has been intensifying since late 2017, apparently as the group's two members become more skilled.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.