U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Silence Group is borrowing Carbanak TTPs in ongoing bank attacks

A cybercrime gang called Silence targeted at least 10 banks in Russia, Armenia, and Malaysia borrowing hacking techniques from the Carbanak group. A cybercrime gang called Silence targeted at least 10 banks in Russia, Armenia, and Malaysia borrowing hacking techniques from the dreaded Carbanak hacker group that stole as much as $1 billion from banks worldwide. […]

Executive Director "Cyber Security National Laboratory" and Coordinator "National Committee for Cybersecurity Research

A cybercrime gang called Silence targeted at least 10 banks in Russia, Armenia, and Malaysia borrowing hacking techniques from the Carbanak group.

A cybercrime gang called Silence targeted at least 10 banks in Russia, Armenia, and Malaysia borrowing hacking techniques from the dreaded Carbanak hacker group that stole as much as $1 billion from banks worldwide.

The Silence gang was uncovered by researchers at Kaspersky Lab who speculate it is imitating the notorious Carbanak group.

“In September 2017, we discovered a new targeted attack on financial institutions. Victims are mostly Russian banks but we also found infected organizations in Malaysia and Armenia. The attackers were using a known but still very effective technique for cybercriminals looking to make money: gaining persistent access to an internal banking network for a long period of time, making video recordings of the day to day activity on bank employees’ PCs, learning how things works in their target banks, what software is being used, and then using that knowledge to steal as much money as possible when ready.” states the report published by Kaspersky.

“We saw that technique before in Carbanak, and other similar cases worldwide.”

The attackers leverage spear-phishing emails with a malicious attachment, the experts pointed out that the Silence group first compromised banking infrastructure in order to send the messages from the addresses of bank employees.

At the time, experts from Kaspersky have no information on how much the Silence group had stolen to date, they confirmed the attacks are still ongoing.

The hackers use legitimate administration tools to fly under the radar making hard the detection of the fraudulent activities.

“This kind of attack has become widespread in recent years, which is a very worrisome trend as it demonstrates that criminals are successful in their attacks.” states Kaspersky Lab.

“The spear-phishing infection vector is still the most popular way to initiate targeted campaigns. When used with already compromised infrastructure, and combined with .chm attachments, it seems to be a really effective way of spreading, at least among financial organizations.”

Silence Group

The group used backdoors to gain persistence on the targeted banks and monitor operations of its employees, the malicious code allows them to upload data, steal credentials, record the screen like the Carbanak does.

Screen grabs allow cyber criminals to create a video recording of daily activity on employees’ computers, such kind of information is essential for the cyber heists.

The experts discovered the hackers leverage a proprietary Microsoft online help format called Microsoft Compiled HTML Help (CHM) because CHM files are interactive and can run JavaScript.

“These files are highly interactive and can run a series of technologies including JavaScript, which can redirect a victim towards an external URL after simply opening the CHM. Attackers began exploiting CHM files to automatically run malicious payloads once the file is accessed.” Kaspersky Lab said.

“Once the attachment is opened by the victim, the embedded .htm content file (“start.htm”) is executed. This file contains JavaScript, and its goal is to download and execute another stage from a hardcoded URL” 

Once the dropper is unpacked and executed from the C&C, a number of payload modules are dropped that allow the attackers to spy on the internal staff of the targeted banks.

One of those modules is the screen monitor, which leveraged the Windows GDI and API tools to create a pseudo-video stream of the victim’s activity by putting together all the collected bitmaps.

Further details are available in the report, including Indicators of Compromise.

Kaspersky will continue to monitor the Silence Group.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Silence group, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]