Silence Group Includes Fileless Tools In Their Arsenal

Delaware, USA – August 21, 2019 – In the three years since its inception, the financially motivated Silence group has stolen more than $4 million from banks located in Europe, Asia, Africa, and Latin America. In 2016, the group consisted of supposedly two people and effectively operated exclusively within the CIS. This spring, Silence group entered the world stage and carried out successful attacks on banks in Bangladesh, and continued to prepare attacks on banks around the world. Group-IB published an updated report on the activities of this group and the latest changes to their TTPs and tools used in attacks. According to experts, in June the group conducted a campaign against Russian banks, and in July they attacked organizations in Chile, Bulgaria, Costa Rica, and Ghana. Adversaries began to conduct additional reconnaissance determining the aims for the attack: to receive an up-to-date list of potential victims, they send thousands of emails without malicious attachments that disguised as an automated reply for a failed delivery. Next, cybercriminals conduct a spear-phishing campaign to infect systems in a targeted bank network with custom malware. Their main goal is to infect the card processing machines with Trojan and use them to control ATMs. To withdraw cash, the group uses money mules with cloned payment cards.

The Silence group develops or acquires new custom tools, and recently they switched to fileless attacks using PowerShell. Researchers determined that Silence.Downloader was written by the same author who created FlawedAmmyy.Downloader for the TA505 group. In parallel, attackers started using a PowerShell-based fileless loader to deliver malware. The new fileless tools also include EmpireDNSAgent which is based on the dnscat2 project and Empire framework and is used for lateral movement.

Content to detect malicious use of PowerShell:

PowerShell Download from URL – https://tdm.socprime.com/tdm/info/1189/

Suspicious PowerShell Invocations – Specific – https://tdm.socprime.com/tdm/info/1244/
Suspicious PowerShell Invocation based on Parent Process – https://tdm.socprime.com/tdm/info/1267/
PowerShell Rundll32 Remote Thread Creation – https://tdm.socprime.com/tdm/info/1464/
Powershell Download (Sysmon) – https://tdm.socprime.com/tdm/info/1173/