Silence

Silence is a trojan that was discovered targeting banks in Russia, Armenia, and Malaysia and used by profit-motivated threat actors to conduct cyber-heists. Once hackers have gained access to a bank employee's email account, either through the use of malware malware or through compromised and reused login credentials, they use that email account to impersonate the initial account holder and send spear-phishing emails to other employees within the same bank. These emails contain a CHM file attachment, a file commonly used by Microsoft's HTML-based help program. However, if this particular CHM file is downloaded and opened, it will run JavaScript commands that download and install a first-stage malware payload. This payload collects data on the infected machine, sends it to a C2 server controlled by the hackers, and the server determines if a second-stage malware payload, the Silence trojan, should be dropped. Silence is capable of taking repeated screenshots of the user's desktop quickly and upload them to the associated C2 server. Taking repeated screen shots rather than video footage helps the trojan to evade detection because less system resources are used. These screenshots can then be reviewed by the hackers for data that would assist them in conducting a cyber-heist. These incidents carry similarities to tactics, techniques, and procedures (TTPs) used by the Carbanak group; however, there is not enough evidence to draw a definite conclusion.

Reporting

  • November 2017: Silence trojan records pseudo-videos of bank PCs to aid bank cyber-heists. (Bleeping Computer)

Technical Analysis

Kaspersky provides technical analysis and IOCs for the Silence trojan, available here.