Delaware, USA – July 3, 2019 – Silence APT attacked at least three banks in Bangladesh; Dutch Bangla Bank Limited suffered the most, from which the attackers stole about $3 million. Other banks, Prime Bank and NCC Bank, claim that they detected a cyber attack in time and avoided financial losses, but The Daily Star sources claim that the losses were still, but much smaller. IB-Group experts analyzed all the incidents and linked them to the Russian financially-motivated hacker group, which until recently had attacked banks only in the CIS region. The attackers compromised the Dutch Bangla Bank’s hosts faced the public Internet at least in February since from this time it is possible to track communications with the command-and-control infrastructure of the group. The goal of the attack was to gain control over the card processing system and to collect data for the cloning of payment cards, and the group used a set of custom trojans for these purposes: TrueBot, Silence.MainModule, and Silence.ProxyBot. Then, using mules with cloned bank cards, the attackers withdrew $ 3M from ATMs in Russia, Ukraine, and Cyprus in several days, confirming transactions using a compromised card processing system. Probably, the security department failed to find all group’s malware and close the ‘loophole’ through which the group had penetrated the bank’s network, because, after a few weeks, Silence tried to repeat the attack by sending mules to Bangladesh, where they managed to withdraw only about $20,000 before they were detained by local police.
Silence APT supposedly consists of two people who were once involved in ensuring the security of banks and penetration tests, but fall into the dark side. The group is relatively young, but its appetites are growing rapidly, as is their area of activity. Their operations have not yet reached the scale of the FASTCash campaigns of one of the divisions of the Lazarus group, but experts suggest that the first successful attacks in Asia indicate the preparation of a large operation.
Yara rules by Florian Roth to detect the malware used by the group in earlier attacks: https://tdm.socprime.com/tdm/info/1977/
Web Application Security Framework by SOC Prime to detect web application misuse and breach attempts: https://tdm.socprime.com/tdm/info/47/