Security researchers have lifted the lid on a new two-man cyber-heist outfit that has stolen $800,000 from banks around the world, with at least one member suspected of being a current or former white hat.
The Silence group was first detected by Group-IB back in 2016 when it unsuccessfully attempted to withdraw funds from AWS CBR, the automated workstation client of the Russian Central Bank.
Since then it has apparently expanded its repertoire to ATMs and card processing systems in more than 25 countries around the world, learning as it goes by analyzing other gangs’ methodologies.
The group is thought to be Russian-speaking based on the language it uses for commands, location of web hosting infrastructure and its targets.
Group-IB claimed there are just two members, a developer and an operator, which is why Silence takes so long to commit a theft: up to three months.
“One gang member — a developer — has skills of a highly experienced reverse engineer. He develops tools to conduct attacks and modifies complex exploits and software. However, in development he makes a number of errors, that are quite common for virus analysts or reverse engineers; he knows exactly how to develop software, but he does not know how to program properly,” the firm claimed.
“The second member of the team is an operator. He’s got experience in penetration testing, which means he can easily find his way around banking infrastructure. He is the one who uses the developed tools to access banking systems and initiates the theft process.”
Attacks follow a similar pattern of phishing emails sent to banking staff purporting to be from co-workers. They also register phishing domains with self-signed certificates.
“In their first operations, Silence used a borrowed backdoor — Kikothac, which makes it clear that the group began its activity without any preparation — these were attempts to test the waters,” Group-IB continued.
“Later, the group’s developer created a unique set of tools for attacks on card processing and ATMs including Silence — a framework for infrastructure attacks, Atmosphere — a set of software tools for attacks on ATMs, Farse — a tool to obtain passwords from a compromised computer, and Cleaner —a tool for logs removal.”