A Russian-speaking threat group has managed to steal roughly $3.5 million since September 2018 by increasing the frequency of attacks, Singapore-based cybersecurity firm Group-IB reveals.
Tracked as Silence, the APT group was initially detailed a year ago, when it was only targeting 25 post-Soviet states and neighboring countries. Since then, however, the actor has expanded its operations globally, made changes to its TTPs, and also enhanced its arsenal of tools.
Over the past year, at least 16 new campaigns targeting banks in more than 30 countries across Europe, Latin America, Africa, and Asia have been associated with Silence. The total incurred losses have increased five-fold, from just $800,000 to $4.2 million, Group-IB’s security researchers reveal.
One of the attacks attributed to Silence is the attack on Dutch-Bangla Bank, where money mules were observed on CCTV footage withdrawing money from the bank’s ATMs. Other incidents were detected in India (August 2018), Russia (February 2019 and June 2019), Kyrgyzstan (May 2019), Chile, Ghana, Costa Rica, and Bulgaria (July 2019).
Additionally, the hackers have conducted one of their largest reconnaissance campaigns to date in Asia, which suggests they have a special interest in the region, Group-IB explains in a report shared with SecurityWeek.
The APT relies on phishing for initial compromise, but starting October 2018 it was observed using reconnaissance emails as part of a preparatory stage. The message looks like a “mail delivery failed” message containing a link without a malicious payload and it allows the attackers to obtain a list of valid emails while also learning what security solutions a targeted company uses.
Group-IB says it has identified at least three major reconnaissance campaigns spread across Asia, Europe and post-Soviet countries, with over 170,000 such “recon” emails. The largest of them was targeting Asia, with nearly 80,000 emails sent to organizations in Taiwan, Malaysia, South Korea, the UAE, Indonesia, Pakistan, Jordan, Saudi Arabia, Singapore, Vietnam, Hong Kong, and China since November 2018.
Over the past year, the group also expanded its arsenal of tools. Thus, since May 2019, they started using Ivoke, a PowerShell-based fileless loader, during the initial infection stage, in addition to the previously observed primary loader TrueBot, which has been rewritten.
Another new tool in the group’s arsenal is EmpireDNSAgent (or EDA), a PowerShell agent based on the Empire and dnscat2 projects that is employed during the lateral movement stage. The Trojan provides attackers with control over compromised systems through command shell and traffic tunneling via the DNS protocol.
In addition to its Atmosphere Trojan, designed to remotely control ATMs, the group also started using the xfs-disp.exe Trojan during the attack execution stage (the malware was supposedly used in the attack on the Russian IT Bank in February 2019).
Group-IB also says they discovered a connection between Silence and TA505, the Russian-speaking actor behind the Dridex and Locky malware families, among others.
Recently, TA505 targeted individuals at financial organizations in the US, the United Arab Emirates, and in Singapore with the FlawedAmmyy RAT. According to Group-IB, both the FlawedAmmyy downloader and Silence’s TrueBot downloader were created by the same Russian speaking developer.
“Early on, Silence showed signs of immaturity in its TTPs by making mistakes and copying practices from other groups. Since then, Silence have evolved into one of the most sophisticated threat actors targeting the financial sector not only in Russia, but also in Latin America, Europe, Africa, and especially Asia,” Rustam Mirkasymov, Head of Dynamic Malware Analysis department at Group-IB, says.
Related: Russian Hackers Use RATs to Target Financial Entities