Researchers have uncovered a new advanced threat group which has targeted at least 10 financial institutions globally using tools and techniques similar to the notorious Carbanak group.
The group, dubbed “Silence” by Kaspersky Lab, begins its attacks via classic spear-phishing attempts, made more likely to succeed because it has already compromised the target company to hijack a real internal email account.
They will then request to open an account with the bank.
However, the attachment with the email contains a Microsoft Compiled HTML Help file, compromised to run malicious JavaScript once opened.
This will download and execute an obfuscated .VBS script which downloads and executes the final dropper: a win32 executable binary file which communicates with the C&C server, sends the ID of the infected machine and downloads and executes malicious payloads.
These payloads are designed to monitor everything the victim does — via screenshots and even a “real-time pseudo-video stream” — in order to build up a picture of their daily activity.
This activity is apparently similar to that of the Carbanak gang — first discovered by Kaspersky Lab in 2015 — which is estimated to have stolen in the region of $1bn from banks and individuals worldwide.
So far, the Silence group’s victims are mostly Russian banks, but researchers also found infected organizations in Malaysia and Armenia. Kaspersky Lab said that language artifacts discovered in the process of the investigation lead it to believe the hackers are Russian-speakers.
“The Silence Trojan is a fresh example of cyber-criminals shifting from attacks on users to direct attacks on banks. We have seen this trend growing recently, as more and more slick and professional APT-style cyber-robberies emerge and succeed,” said security expert, Sergey Lozhkin.
“The most worrying thing here is that due to their in-the-shadow approach, these attacks may succeed regardless of the peculiarities of each bank’s security architecture.”
The vendor urged organizations to invest in advanced threat detection systems, conduct regular pen testing and application assessments to minimize their attacks surface and configure email systems to scan for malicious attachments and phishy characteristics.