Silence hackers target banks across 30 countries

• Silence hackers have launched 16 campaigns across 30 countries since September 2018.
• With a span of 3 years, from June 2016 to June 2019, Silence hackers have stolen at least 4.2 million US dollars.

What’s the matter?

Group-IB reported that Silence hackers have targeted banks across 30 countries including China, Russia, the United Kingdom, Bangladesh, and Bulgaria, among others.

A brief overview

The report published by Group-IB, ‘Silence 2.0 Going Global’ highlights the campaigns launched by Silence hackers between May 2018, and August 01, 2019, along with the hackers’ tactics, techniques, and procedures (TTPs).

The hacker group's TTPs has evolved as they’ve made numerous changes to their attack techniques in order to complicate detection by security tools.

Key findings

• According to the report, Silence hackers have launched 16 campaigns across 30 countries since September 2018.
• With a span of 3 years, from June 2016 to June 2019, Silence hackers have stolen at least 4.2 million US dollars.
• The group primarily relied on TrueBot loader, and later started using a fileless loader dubbed Ivoke and EmpireDNSAgent (EDA agent), both written in PowerShell.
• Based on the similarities found between Silence.Downloader aka TrueBot and FlawedAmmyy Downloader, researchers suspect Silence hackers to be linked to TA505 threat actor group.

Recon phishing campaigns

Silence hackers leverage phishing as their initial infection vector. They sent phishing emails that include an image or a link without a malicious payload to almost 85,000 recipients. The purpose of this phishing campaign was to create an up-to-date “target” list of active email addresses that can be used in future attacks.

The hackers carried out three such recon campaigns in Russia, Asia, and Europe.

• Silence hackers sent out 80,000 emails to banks in Asian countries including Taiwan, Malaysia, and South Korea, among others.
• They sent out almost 84,000 emails to banks in Russia between 16 October 2018 to 1 January 2019.
• Less than 10,000 emails were sent to banks in the UK.

Attacks launched between August 2018 and August 2019

• An Indian bank was successfully attacked in August 2018.
• In October 2018, malicious attack campaigns were launched against Russian banks.
• A massive phishing campaign pretending to come from the Central Bank of the Russian Federation was launched on November 15, and 16, 2018.
• The first stage of the Asian campaign was launched on November 20, 2018.
• Financial organizations in the UK were targeted in January 2019.
• In February 2019, hackers successfully withdrew 25 million roubles (~USD 400,000) from Omsk IT Bank in Russia.
• In May 2019, hackers withdrew $3 million from the ATMs of Dutch-Bangla Bank in Bangladesh.
• In June 2019, hackers launched a new attack on banks in Russia.
• In July 2019, banks in Chile, Bulgaria, Costa Rica , and Ghana were successfully attacked.