Hacking group targets banks with stealthy trojan malware campaign

Stolen credentials are used to launch attacks which include the ability to stream live video of the screens of infected users.
Written by Danny Palmer, Senior Writer

Video: Malicious hackers develop corporate culture

A previously unknown but highly organised hacking group is carrying out a series of cyber attacks against banks and financial institutions around the world, deploying trojan malware to gain entry into networks.

The attackers are capable of monitoring everything a victim does in order to provide them with all the information they need to sneak around bank networks and make off with stolen funds.

Uncovered by Kaspersky Lab, the 'Silence' hacking group is suspected to be a Russian-speaking operation which has hit at least 10 financial organisations including those in Armenia and Malaysia, but mostly within Russia.

The initial attack techniques of Silence campaigns are similar threat actors including the infamous Carbanak group - initial victims are tricked by phishing emails which give the attackers a foothold into the network. They'll remain there for a long time, only striking when they have enough information to steal large amounts.

Those behind Silence are appear to be actively targeting banks which have previously been attacked. They use emails from the addresses of real employees who have had accounts compromised - potentially bought from the dark web - to send a phishing email about what looks to be a routine request about opening a customer account.

The message comes with a malicious attachment in the form of a 'Windows help . CHM' file which runs once the document has been opened. An embedded JavaScript within this automatically downloads and executes a Visual Basic script which then in turn downloads the a malware dropper from a command and control server.

See also: Cyberwar: A guide to the frightening future of online conflict

It's the Russian language in the code which has led researchers to the conclusion that the attack group is Russian-speaking.

Once downloaded and installed on the system, the malware allows the attackers to take multiple screenshots of the victim's active screen, providing a real-time stream.

A similar technique was used by Carbanak to gain an understanding of the victim's day-to-day activity and points to the ultimate end goal of Silence - obtaining all the information required to eventually steal money.

The malware also includes a Winexecsvc tool which allows the execution of remote commands - useful when it comes to the attackers making their way around the infected network.

Researchers note that this particular campaign has been successful in attacking financial institutions, no matter where in the world they're based or what the network infrastructure looks like.

"We have seen this trend growing recently, as more and more slick and professional APT-style cyber-robberies emerge and succeed. The most worrying thing here is that due to their in-the-shadow approach, these attacks may succeed regardless of the peculiarities of each bank's security architecture," said Sergey Lozhkin, security expert at Kaspersky Lab.

While Silence uses very similar techniques to the Carbanak group - which has stolen more than $1 billion from banks worldwide - it's still uncertain if the two groups are at all related.

Researchers have warned the the attacks are still ongoing.


The Silence malware drops allow attackers to stealthily monitor everything going on the screen of an infected user.

Image: iStock

Previous and related coverage

Ransomware: An executive guide to one of the biggest menaces on the web

Updated: Everything you need to know about ransomware: how it started, why it's booming, how to protect against it, and what to do if your PC's infected.

IT leader's guide to reducing insider security threats

This ebook offers a look at where the risks lie and what you can do to mitigate them.


Editorial standards