APT
Our experts have discovered a new targeted attack using a Trojan by the name of Silence against financial institutions. Russian banks are first in the line of fire, but Malaysian and Armenian organizations have also been infected.
Tactically, the attack is very similar to the canonical financial APT campaign, the notorious Carbanak: a phishing e-mail with a malicious attachment sent to employees of banks and financial organizations, followed by spying on employees and then, suddenly, a fraudulent transaction. This proven method has already brought its operators billions of dollars, so why not try it again?
This time around, however, the attackers have perfected the e-mail hook. Having infected and firmly infiltrated the infrastructure of an organization, the attackers start e-mailing “contracts” to the bank’s partners. The next victim receives a phishing message from the address of a real person who works at the bank. This greatly increases the likelihood of a malicious attachment being clicked.
How Silence works
The victim, a financial employee, opens the attached “contract,” which is a file with the .chm extension, a Microsoft help file. The embedded HTML file contains malicious JavaScript code, which loads and activates a dropper that then loads the modules of the Silence Trojan, which operate as Windows services. We have found modules for control and monitoring, screen recording, and communication with control servers, plus a program for remote execution of console commands.
The modules let the attackers collect data about the infected network and record images from employees’ screens. At first, they monitor everyone, but then they shift focus to those most likely to possess useful financial information. Once the intruders have a thorough understanding of how the victim’s information systems work, they give the order to transfer funds to their own accounts.
Technical details and IOCs can be found in this Securelist post.
How to protect your business against a Silence attack
As you can see, reminding employees not to open attachments from external e-mails is not sufficient. To protect financial institutions against modern-day cyberthreats, we recommend:
- Holding training sessions and workshops to raise employee awareness. Check out Kaspersky Security Awareness, for example: It’s not a series of lectures about threats, but more practical exercises with attack simulations that help to develop employees’ practical skills.
- Using solutions capable of detecting anomalies in the network at a deep level. For example, Kaspersky Anti Targeted Attack. This security solution is able to detect targeted attacks even if they employ as-yet-unknown methods.
Tips