From past one year, Silence hackers launched 16 campaigns across 30 countries. Read on to know about it…
Since September 2018, Silence hackers have launched 16 campaigns across 30 countries. From June 2016 to June 2019, with a span of 3 years — Silence hackers have stolen at least 4.2 million US dollars. Researchers at Group-IB, Singapore-based cybersecurity company specializing in attack prevention, tracked Silence early on and judged its members to be familiar with white-hat security activity. According to a report by Group-IB, Silence hackers have targeted banks all over the world including countries such as China, Russia, the United Kingdom, Bangladesh, and Bulgaria, among others.
Tools, Tactics, Techniques
According to a report published last year — details the roles of Silence hackers, their skills, failures, and successful bank heists. In a new report, Group-IB shares more details about the hackers’ tactics, techniques, and procedures, to help other researchers detect attacks at an early stage and attribute them correctly.
The researchers say that Silence has improved its operational security and changed its toolset to thwart detection. Apart from rewriting the first-stage module (Silence.Downloader / Truebot), the group began using a PowerShell-based fileless loader called Ivoke. For lateral movement in the victim network, a new PowerShell agent is used, called EmpireDNSAgent (EDA) because it is based on the recently abandoned Empire framework and the dnscat2 project.
According to the report published by Group-IB, ‘Silence 2.0 Going Global’ highlights the campaigns launched by Silence hackers between May 2018, and August 01, 2019, along with the hackers’ tactics, techniques, and procedures (TTPs). The hacker group’s TTPs has evolved as they’ve made numerous changes to their attack techniques in order to complicate detection by security tools. The group primarily relied on TrueBot loader, and later started using a fileless loader dubbed Ivoke and EmpireDNSAgent (EDA agent), both written in PowerShell. Based on the similarities found between Silence.Downloader aka TrueBot and FlawedAmmyy Downloader, researchers suspect Silence hackers to be linked to TA505 threat actor group.
Global Phishing Campaigns
The activity of the advanced hacker group the researchers call Silence has increased significantly over the past year. Silence hackers leverage phishing as their initial infection vector. They sent phishing emails that include an image or a link without a malicious payload to almost 85,000 recipients. The purpose of this phishing campaign was to create an up-to-date “target” list of active email addresses that can be used in future attacks. The hackers carried out three such recon campaigns in Russia, Asia, and Europe. Silence hackers sent out 80,000 emails to banks in Asian countries including Taiwan, Malaysia, and South Korea, among others. Between 16 October 2018 to 1 January 2019, the hackers sent out almost 84,000 emails to banks in Russia and less than 10,000 emails were sent to banks in the UK.
An Indian bank was successfully attacked in August 2018 and the first stage of the Asian campaign was launched on November 20, 2018. In May 2019, hackers withdrew $3 million from the ATMs of Dutch-Bangla Bank in Bangladesh. In July 2019, banks in Chile, Bulgaria, Costa Rica and Ghana were successfully attacked.
In October 2018, malicious attack campaigns were launched against Russian banks. A massive phishing campaign pretending to come from the Central Bank of the Russian Federation was launched on November 15, and 16, 2018. In February 2019, hackers successfully withdrew 25 million roubles (~USD 400,000) from Omsk IT Bank in Russia. In June 2019, hackers launched a new attack on banks in Russia.