A new campaign, a “Silence Malware” has been launched by hackers. The malware that is getting access to infrastructure of financial organizations for a prolonged period to understand the internal process of thieving cash without getting caught, has been identified by The IT security researchers at Kaspersky Labs.
Once the Hackers have gained the access for a long time, they are able to identify and learn a firm’s financial behavior very easily. In September they have first noticed this type of malware in the networks of banks from Russia, Armenia and Malaysia. This is the researcher’s belief that there is a strong possibility of outspreading the attack into other locations.
According to the analysis of this case, this Trojan has been already used in several international locations, which indicates the expanding activity of the group of Hackers. It does the same thing as the ones used by Carbanak group, which is to provide different modules of monitoring capabilities.
Researchers named it “Silence Malware” as it does not let the victims know while it attacks. The malware works silently in the back while a victim is operating different activities. To start this infectious operation firstly victims had to compromise some of their own machines at targeted firms to ultimately gain access to employee email accounts, though it is unknown that which method was used to compromise those machines.
Secondly, they have sent phishing emails to other employees account from those exploited compromised accounts to led the attack in multi-stage. Attackers use Silence for phishing emails as preliminary infection routes by using the employee address from a previously infected organization. The email has a request to open an account on the affected bank which seems legit as this message was created by standard social engineering trick.
While launching it installs a malware dropper to download multiple payloads through connecting with the C&C server. This malware is having different functionality such as capturing screen-shots and creating real time videos of user’s activity on their desktops or letting attackers to run Windows Shell commands.
In recent years this type of attack has been commonly found. In the case of initiation of targeting campaigns, the spear-phishing infection route is the most popular way still. It is most effectively spread while used with compromised infrastructures and .CHM file attachments, among financial organizations at least.
For more technical details, you can see the original Kaspersky post, here.