A Russian-speaking cybercriminal group, most commonly known as the Silence APT, has been one of the major talked about group due to their act of targeting financial organizations in the former Soviet states on a primary basis and the banks of the neighboring countries are also aggressively targeted in over 30 countries across Asia, Africa, America and Europe. The Silence APT group has been active since September 2016 and their most recent successful campaign was against the Bangladesh-based Dutch-Bangla Bank that lost over $3 million during a string of the ATM cash withdrawals more than a span of several days.
As per the latest report published by the Singapore-based cybersecurity firm, Group-IB, the hacking group Silence APT has significantly expanded their access in recent months and has increased the frequency of their attack campaigns along with enhancing the arsenal. The report has also described the evolution of the Silence APT hacking group to one of the most advanced and sophisticated persistent threat (APT) group posing threats to the global banks from the young and highly motivated hackers. The Silence APT hacking group has re-framed their unique TTP (Tactics, Techniques, and Procedures) and has successfully changed their encryption alphabets, commands for the bots, string encryption, and the main module to evade the detection by means of security tools.
Image Source: thehackernews.com
Talking of the PowerShell agent, EDA is the one of a kind that is designed to control the compromised systems by performing the tasks via the command shell and utilizing DNS protocol to tunnel the traffic and is completely based on the dnscat2 and Empire projects. Similar to most of the hacking groups, Silence APT hacking group also relies on the spear-phishing emails with the macros Docs or exploits the CHM files and .LNK shortcuts as the malicious attachments in the bid to compromise their victims initially.
As soon as in a victim organization, the hacking group leverages more sophisticated TTPs and as well as deploy the additional malware, which usually is either TrueBot or any new file-less PowerShell loader named Ivoke, where both of them are designed to collect the information about an infected or compromised system and sends it to an intermediate CnC server. In order to choose their targets, the hacking group first creates an up-to-date target list of all the active email addresses by sending the ‘recon emails’ that usually contains a picture or a link devoid of a malicious payload.
Image Source: thehackernews.com
The Silence APT hacking group‘s latest campaigns are the featured ones that ran from May 2018 till the 1st of August 2019, where the researchers have described the increase in the damage from their operations and has confirmed that the amount of the funds stolen by Silence APT has increased to an extent of fivefold since its initial stage that is estimated as a total loss of $4.2 million. Apart from this, Group-IB researchers have also suspected that the TrueBot or commonly known as Silence.Downloader along with the FlawedAmmyy loader has been developed by the same person since both the malware were signed with the same digital certificate.
The FlawedAmmyy loader is a Remote Access Trojan (RAT) associated with TA505, which is a desperate Russian-Speaking threat group that is responsible for many large-scale attacks having involved highly targeted email attacks as well as the massive, multi-million message campaigns since at least 2014.
The Group-IB researchers did not share the names of the banks that have been targeted by Silence APT but revealed that the group has successfully targeted banks in India in August 2018, The Russian IT Bank in February 2019, Kyrgyzstan in May 2019, Russia on June 2019 and Bulgaria, Costa Rica, Chile and Ghana in July 2019. The Group-IB has also published more detailed findings of Silence APT in its new report that has been titled “Silence 2.0: Going Global”.
Source: The Hacker News
Disclaimer: Darkweblink.com does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither Darkweblink.com nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation with the reliance on or usage of any content, goods or services mentioned in this article.