Silence Trojan stealing money from Russian banks
Fri 3 Nov 2017
Banks have fallen victim to a series of targeted attacks by a Trojan called Silence, according to a report from Kaspersky Labs.
The financial institutions affected have mostly been Russian banks, though organisations in Malaysia and Armenia have also suffered attacks.
The Trojan is another version of an advanced persistent threat (APT) campaign; where the attacking software will lodge itself in the network for a significant amount of time, going unnoticed. The attackers will then observe the way the bank works – for instance, their protocols and contacts, then launch a phishing campaign.
A very similar attack called Carbanak was discovered in 2014. Kaspersky also claims to have found this and believes that at this time money was stolen from banks, as it also claims to be the case now.
However, Kaspersky states that on this occasion, the attack is more sophisticated in terms of social engineering, noting that ‘having infected and firmly infiltrated the infrastructure of an organization, the attackers start e-mailing “contracts” to the bank’s partners. The next victim receives a phishing message from the address of a real person who works at the bank.’
This, Kaspersky argues, makes it significantly more likely that the bad attachment will be opened. Many phishing emails are relatively transparent, particularly to experienced eyes, but coming from a legitimate contact makes it very difficult to screen against.
The attackers, once in the system, are able to very closely observe the work of those in the bank. According to Kaspersky, they are likely to be making video recordings of employees’ activity, including which software they are using. Once the hackers have gained sufficient knowledge, they will steal ‘as much money as possible’, says Kaspersky.
The attached file itself, which comes disguised as a contract, has been found to be a .chm extension – a Microsoft Compiled HTML Help file, which is described as ‘highly interactive’, and able to direct a victim to an external URL as soon as it is opened.
In this instance, Kaspersky believes that it is not enough to simply direct employees not to open external emails, suggesting more in-depth training. It suggests that the attacks are ongoing.