Contrary to their moniker, the Silence cybercriminal group has been reported to be actively targeting banks and financial institutions in more than 30 countries. In a follow-up report that tracked Silence’s activities, the researchers noted how the group transitioned from a band of threat actors who haphazardly mimicked the tactics, techniques, and procedures (TTPs) of established hacking groups to a full-fledged cybercriminal group that constantly fine-tunes their toolkit and uses its own malware to hijack ATMs. Silence reportedly stole US$4.2 million from June 2016 to August 2019.
As further proof of their evolution, Silence successfully stole US$3 million from an Indian bank last May. Three months prior, Silence stole US$400,000 from a Russian bank. In July, the group was able to compromise the workstations of banks in Bulgaria, Chile, Costa Rica, and Ghana. Silence has also started using fileless malware, using a fileless backdoor and abusing PowerShell-based, open-source projects to gather information and move laterally within the infected systems.
[Trend Micro Research: Banks Under Attack: Tactics and Techniques Used to Target Financial Organizations]
Silence’s typical attack entails the use of large-scale phishing campaigns to update their database of current targets, and determine the antivirus (AV) solutions the organization is using. Since September 2018, for instance, Silence has sent over 170,000 phishing emails to financial organizations in Russia, countries in the Commonwealth of Independent States, Asia, and Europe to reconnoiter their targets of interest. According to Group-IB’s report, the banks in Asia that received the most of these phishing emails were in Taiwan, Malaysia, South Korea, United Arab Emirates, and Indonesia.
The actual attack involves the use of Microsoft Office documents laden with malicious macro or exploits. Once the system is infected, a loader malware — either Truebot or the Ivoke fileless loader — is used to collect information about the system to determine if it’s a target of interest. If it is, the main trojan (Silence.Main) is delivered to hijack the compromised system. Silence also uses several utilities to laterally move across networks, and uses its own malware (Atmosphere Trojan) to illicitly control ATMs.
[InfoSec Guide: Defending Against Email-Borne Threats]
While Silence’s modus may not be groundbreaking (the group has just begun using fileless techniques, repurposed open-source projects, and used an old vulnerability for their exploits), but if the money they’ve so far stolen is any indication, it has proven to be effective. Silence and similar groups such as Cobalt, Lurk, and FIN7 take advantage of security gaps and lapses in an organization — whether in its technology, people, and processes. Carbanak, for example, reportedly managed to siphon US$1.2 billion from over 100 financial institutions across 40 countries since it first emerged in 2013, using a variety of tactics and techniques to deliver its malware.
For financial organizations, the adverse impact goes beyond financial losses. They also have to contend with damage to their reputation, particularly loss in customer trust, as well as hefty penalties they might incur from infringing data protection regulations, such as the EU General Data Protection and Regulation.
Given these potential risks, organizations should ensure the privacy, security, and integrity of their online infrastructures — from the email gateway, network, and servers to endpoints. Fostering a culture of cybersecurity awareness, particularly on phishing, social engineering, and email-borne threats also helps in combatting threats.
Trend Micro's Smart Protection Suites deliver several capabilities like high-fidelity machine learning and web reputation services that thwart phishing scams and minimize the impact of persistent, fileless threats. The Trend Micro™ Deep Discovery™ solution has a layer for email inspection that can protect enterprises by detecting malicious attachments and URLs. It can detect remote scripts even if they are not being downloaded on the physical endpoints.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.