Contents
General description
The Silence cybercrime group appeared in 2016 and attacked organizations in the credit and financial sector, mainly in Russia. The group’s objective is to steal cash from hacked ATMs, card processing and AWS-CBR. Since 2018, the group has expanded the geography of its attacks and now attacks organizations all over the world. In some attacks, the group used tools from the TA505 group, which may indicate their cooperation.
Tools
- Silence Downloader
- Silence MainModule
- Silence ProxyBot
Target sectors
- The finance sector
Target countries
- Europe
- North America
- South America
- Central Asia
Objectives
- Cash theft
Alternative group names
None
Reports by Positive Technologies and other researchers
- https://www.group-ib.com/resources/threat-research/silence-attacks.html
- https://securelist.ru/the-silence/87891/
MITRE ATT&CK techniques, used by the group
Technique ID | Technique name | Description |
---|---|---|
Initial Access | ||
T1566.001 | Phishing: Spearphishing Attachment | Silence sent emails with malicious attachments in DOCX, CHM, LNK, and ZIP formats. |
Execution | ||
T1204.002 | User Execution: Malicious File | Silence tried to trick users into running malicious applications delivered by email. |
T1059.001 | Command and Scripting Interpreter: PowerShell | Silence used Powershell scenarios in attacks. |
T1059.003 | Command and Scripting Interpreter: Windows Command Shell | Silence used the Windows command line to run commands. |
T1059.005 | Command and Scripting Interpreter: Visual Basic | Silence used VBS scenarios in attacks. |
T1059.007 | Command and Scripting Interpreter: JavaScript/JScript | Silence used JavaScript scenarios in attacks. |
T1106 | Native API | Silence used API Windows to perform various tasks. |
T1064 | Scripting | Silence used JavaScript, VBS, and PowerShell scripts. |
T1203 | Exploitation for Client Execution | Silence exploited the following vulnerabilities in attacks: CVE-2017-0199, CVE-2017-0262, CVE-2018-0802, and CVE-2018-8174. |
T1569.002 | System Services: Service Execution | Silence used the WinExe utility to install a service on a remote computer. |
Persistence | ||
T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Silence gained persistence in the system via the registry or the STARTUP folder. |
Pivilege escalation | ||
T1078.002 | Valid Accounts: Domain Accounts | Silence used compromised credentials to log in to the system and escalate privileges. |
Defense Evasion | ||
T1107 | File Deletion | Silence removed files with the Windows scheduler tasks after they were run. |
T1027 | Obfuscated Files or Information | Silence obfuscates malware code. |
T1218.001 | Signed Binary Proxy Execution: Compiled HTML File | Silence used CHM files in phishing campaigns. |
T1070.004 | Indicator Removal on Host: File Deletion | Silence removed artifacts from infected computers to hide traces of attacks. |
T1112 | Modify Registry | Silence modified values of some registry keys. |
T1036.005 | Masquerading: Match Legitimate Name or Location | Silence masked the backdoor as the WINWORD.exe executable file. |
T1553.002 | Subvert Trust Controls: Code Signing | Silence used legitimate certificates to sign malware. |
Credential Access | ||
T1003.001 | OS Credential Dumping: LSASS Memory | Silence used the Farse6.1 utility to extract credentials from the lsass.exe process dump. |
Discovery | ||
T1082 | System Information Discovery | The group's malware collected information on the infected computer. |
T1057 | Process Discovery | The group's malware collected information on the processes. |
T1016 | System Network Configuration Discovery | The group's malware collected information about the network parameters of the infected computer. |
T1049 | System Network Connections Discovery | The group's malware collected information about the network connections of the infected computer. |
T1033 | System Owner/User Discovery | The group's malware collected information about users of the compromised computer. |
Lateral Movement | ||
T1072 | Software Deployment Tools | Silence used RAdmin for remote access to compromised computers and ATMs. |
Collection | ||
T1113 | Screen Capture | Silence took screen captures of the victims' screens. |
Command And Control | ||
T1571 | Non-Standard Port | Silence used non-standard ports to transfer information on the compromised computer to the C2 server. |