Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Russian APT ‘Silence’ Steals $3.5 Million in One Year

A Russian-speaking threat group has managed to steal roughly $3.5 million since September 2018 by increasing the frequency of attacks, Singapore-based cybersecurity firm Group-IB reveals.

A Russian-speaking threat group has managed to steal roughly $3.5 million since September 2018 by increasing the frequency of attacks, Singapore-based cybersecurity firm Group-IB reveals.

Tracked as Silence, the APT group was initially detailed a year ago, when it was only targeting 25 post-Soviet states and neighboring countries. Since then, however, the actor has expanded its operations globally, made changes to its TTPs, and also enhanced its arsenal of tools.

Over the past year, at least 16 new campaigns targeting banks in more than 30 countries across Europe, Latin America, Africa, and Asia have been associated with Silence. The total incurred losses have increased five-fold, from just $800,000 to $4.2 million, Group-IB’s security researchers reveal.

One of the attacks attributed to Silence is the attack on Dutch-Bangla Bank, where money mules were observed on CCTV footage withdrawing money from the bank’s ATMs. Other incidents were detected in India (August 2018), Russia (February 2019 and June 2019), Kyrgyzstan (May 2019), Chile, Ghana, Costa Rica, and Bulgaria (July 2019).

Additionally, the hackers have conducted one of their largest reconnaissance campaigns to date in Asia, which suggests they have a special interest in the region, Group-IB explains in a report shared with SecurityWeek.

The APT relies on phishing for initial compromise, but starting October 2018 it was observed using reconnaissance emails as part of a preparatory stage. The message looks like a “mail delivery failed” message containing a link without a malicious payload and it allows the attackers to obtain a list of valid emails while also learning what security solutions a targeted company uses.

Group-IB says it has identified at least three major reconnaissance campaigns spread across Asia, Europe and post-Soviet countries, with over 170,000 such “recon” emails. The largest of them was targeting Asia, with nearly 80,000 emails sent to organizations in Taiwan, Malaysia, South Korea, the UAE, Indonesia, Pakistan, Jordan, Saudi Arabia, Singapore, Vietnam, Hong Kong, and China since November 2018.

Over the past year, the group also expanded its arsenal of tools. Thus, since May 2019, they started using Ivoke, a PowerShell-based fileless loader, during the initial infection stage, in addition to the previously observed primary loader TrueBot, which has been rewritten.

Advertisement. Scroll to continue reading.

Another new tool in the group’s arsenal is EmpireDNSAgent (or EDA), a PowerShell agent based on the Empire and dnscat2 projects that is employed during the lateral movement stage. The Trojan provides attackers with control over compromised systems through command shell and traffic tunneling via the DNS protocol.

In addition to its Atmosphere Trojan, designed to remotely control ATMs, the group also started using the xfs-disp.exe Trojan during the attack execution stage (the malware was supposedly used in the attack on the Russian IT Bank in February 2019).

Group-IB also says they discovered a connection between Silence and TA505, the Russian-speaking actor behind the Dridex and Locky malware families, among others.

Recently, TA505 targeted individuals at financial organizations in the US, the United Arab Emirates, and in Singapore with the FlawedAmmyy RAT. According to Group-IB, both the FlawedAmmyy downloader and Silence’s TrueBot downloader were created by the same Russian speaking developer.

“Early on, Silence showed signs of immaturity in its TTPs by making mistakes and copying practices from other groups. Since then, Silence have evolved into one of the most sophisticated threat actors targeting the financial sector not only in Russia, but also in Latin America, Europe, Africa, and especially Asia,” Rustam Mirkasymov, Head of Dynamic Malware Analysis department at Group-IB, says.

Related: Russian Hackers Use RATs to Target Financial Entities

Related: Researchers Draw Connections Between APTs

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.