Silence Malware Steals Cash from Financial Institutions

A new campaign, a “Silence Malware” has been launched by hackers. The malware that is getting access to infrastructure of financial organizations for a prolonged period to understand the internal process of thieving cash without getting caught, has been identified by The IT security researchers at Kaspersky Labs.

Once the Hackers have gained the access for a long time, they are able to identify and learn a firm’s financial behavior very easily. In September they have first noticed this type of malware in the networks of banks from Russia, Armenia and Malaysia. This is the researcher’s belief that there is a strong possibility of outspreading the attack into other locations.

According to the analysis of this case, this Trojan has been already used in several international locations, which indicates the expanding activity of the group of Hackers. It does the same thing as the ones used by Carbanak group, which is to provide different modules of monitoring capabilities.

Researchers named it “Silence Malware” as it does not let the victims know while it attacks. The malware works silently in the back while a victim is operating different activities. To start this infectious operation firstly victims had to compromise some of their own machines at targeted firms to ultimately gain access to employee email accounts, though it is unknown that which method was used to compromise those machines.

Secondly, they have sent phishing emails to other employees account from those exploited compromised accounts to led the attack in multi-stage. Attackers use Silence for phishing emails as preliminary infection routes by using the employee address from a previously infected organization. The email has a request to open an account on the affected bank which seems legit as this message was created by standard social engineering trick.

silence malware screenshot

Microsoft complied HTML Help (CHM) files have been found in those rouge emails by Kaspersky Lab researchers. Once an infected CHM file is opened by the receiver, that executes a rouge JavaScript code following by a VBS script downloaded from a malicious URL.

While launching it installs a malware dropper to download multiple payloads through connecting with the C&C server. This malware is having different functionality such as capturing screen-shots and creating real time videos of user’s activity on their desktops or letting attackers to run Windows Shell commands.

In recent years this type of attack has been commonly found. In the case of initiation of targeting campaigns, the spear-phishing infection route is the most popular way still. It is most effectively spread while used with compromised infrastructures and .CHM file attachments, among financial organizations at least.

For more technical details, you can see the original Kaspersky post, here.

Mohamad El Hout, MBA, M.Eng., CISSP

Mohamad is an entrepreneur and a Senior Security Consultant dealing with the design and delivery of standard and complex security gateway solutions, covering a wide range of cutting edge technologies. His interests include business, technology, leadership, sports, and the continuous pursuit of knowledge.

%d bloggers like this: