Connect with us

Hi, what are you looking for?



New “Silence Trojan” Used in Ongoing Bank Attacks

Silence Trojan is a Fresh Example of Cybercriminals Shifting From Attacks on Users to Direct Attacks Against Banks

Silence Trojan is a Fresh Example of Cybercriminals Shifting From Attacks on Users to Direct Attacks Against Banks

Security researchers from Kaspersky Lab are monitoring an ongoing cyber attack against primarily Russian, but also Malaysian and Armenian, financial institutions. The attack is new and has been dubbed ‘Silence’. The researchers make no attribution for the attackers, but note that the attack methodology is broadly similar to that used in earlier successful Carbanak bank attacks. 

The attack starts with gaining access to the email account of an employee working in a financial institution. The method is not important — it could be spam-delivered malware or via a re-used password leaked from an unrelated breach. However, once the attackers have access to a genuine employee’s email, they can deliver more compelling spear-phishing attacks against the target bank’s own employees.

Banks Targeted by Cybercriminals Using Silence TrojanTypically, say Kaspersky Lab’s GReAT researchers in a report published Wednesday, “The cybercriminals using Silence send spear-phishing emails as initial infection vectors, often using the addresses of employees of an already infected financial institution, with a request to open an account in the attacked bank. The message looks like a routine request. Using this social engineering trick, it looks unsuspicious to the receiver.”

The spear-phishing email carries a .CHM attachment. This is Microsoft’s own online help format consisting of a collection of HTML pages, indexing and other navigation tools. The point is that CHM files are highly interactive and can contain and run JavaScript. If the target can be enticed to open the attachment, the embedded ‘start.htm’ is automatically run. The JavaScript downloads an obfuscated .VBS script, which in turn downloads the dropper.

In this instance, the dropper is a Win-32 executable that communicates with the attackers’ C&C server. It sends the ID of the infected machine, and downloads and executes malicious payloads. These provide various functions such as screen recording and data uploading. As with the earlier Carbanak attacks, the Silence group now takes its time to learn and understand how the bank operates. The Carbanak group (also known as Anunak) is thought to have stolen upwards of $1 billion over the last few years.

Key to this ‘learning’ phase is the generation of pseudo screen videos. A downloaded ‘monitoring and control’ module “takes multiple screenshots of the victim’s active screen, providing a real-time pseudo-video stream with all the victim’s activity.” Taking individual screenshots rather than a genuine video will use less system resources and help the process remain under the radar of the user.

The information contained in the ‘video’, however, is likely to provide useful data on how the bank works, URLs used in the bank’s management systems, and further exploitable applications. This data is gathered and analyzed by the attackers until they have enough information to strike and steal as much money as possible.

Advertisement. Scroll to continue reading.

“The Silence Trojan is a fresh example of cybercriminals shifting from attacks on users to direct attacks on banks. We have seen this trend growing recently, as more and more slick and professional APT-style cyber-robberies emerge and succeed. The most worrying thing here is that due to their in-the-shadow approach, these attacks may succeed regardless of the peculiarities of each bank’s security architecture,” notes Sergey Lozhkin, security expert at Kaspersky Lab.

So far, Kaspersky Lab has provided no information on which banks are being attacked, nor whether any (nor how much) money may have been stolen. Nevertheless, the attack is further corroboration that criminals are beginning to attack banks directly for large amounts rather than bank customers for small amounts.

In October 2017, SpiderLab’s described a bank attack that combines cybercriminal and organized crime gangs to steal large amounts of cash via ATM devices. By compromising bank systems, and creating fake accounts with large overdrafts, the attackers were able to withdraw thousands of dollars from various ATMs. SpiderLabs believes that at least four banks in Russia and post-Soviet states have lost an average of $10 million dollars each in this process.

RelatedCarbanak Hackers Hit Hospitality Firms With New Tactics


RelatedCarbanak Group Used Numerous Tools in Recent Attacks

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...