Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing.[1][2]
Name | Description |
---|---|
WHISPER SPIDER |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Silence has used |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Silence has used PowerShell to download and execute payloads.[1][4] |
.003 | Command and Scripting Interpreter: Windows Command Shell |
Silence has used Windows command-line to run commands.[1][2][4] |
||
.005 | Command and Scripting Interpreter: Visual Basic | |||
.007 | Command and Scripting Interpreter: JavaScript | |||
Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
Silence has deleted artifacts, including scheduled tasks, communicates files from the C2 and other logs.[1][4] |
Enterprise | T1105 | Ingress Tool Transfer |
Silence has downloaded additional modules and malware to victim’s machines.[4] |
|
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location | |
Enterprise | T1112 | Modify Registry |
Silence can create, delete, or modify a specified Registry key or value.[4] |
|
Enterprise | T1106 | Native API |
Silence has leveraged the Windows API, including using CreateProcess() or ShellExecute(), to perform a variety of tasks.[2][4] |
|
Enterprise | T1571 | Non-Standard Port |
Silence has used port 444 when sending data about the system from the client to the server.[4] |
|
Enterprise | T1027 | Obfuscated Files or Information |
Silence has used environment variable string substitution for obfuscation.[1] |
|
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
Silence has obtained and modified versions of publicly-available tools like Empire and PsExec.[5] [2] |
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Silence has used the Farse6.1 utility (based on Mimikatz) to extract credentials from lsass.exe.[4] |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Silence has sent emails with malicious DOCX, CHM, LNK and ZIP attachments. [1][2][4] |
Enterprise | T1055 | Process Injection |
Silence has injected a DLL library containing a Trojan into the fwmain32.exe process.[4] |
|
Enterprise | T1090 | .002 | Proxy: External Proxy |
Silence has used ProxyBot, which allows the attacker to redirect traffic from the current node to the backconnect server via Sock4\Socks5.[4] |
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol | |
Enterprise | T1018 | Remote System Discovery |
Silence has used Nmap to scan the corporate network, build a network topology, and identify vulnerable hosts.[4] |
|
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task | |
Enterprise | T1113 | Screen Capture | ||
Enterprise | T1218 | .001 | Signed Binary Proxy Execution: Compiled HTML File |
Silence has weaponized CHM files in their phishing campaigns.[1][2][5][4] |
Enterprise | T1072 | Software Deployment Tools |
Silence has used RAdmin, a remote software tool used to remotely control workstations and ATMs.[4] |
|
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Silence has used a valid certificate to sign their primary loader Silence.Downloader (aka TrueBot).[5] |
Enterprise | T1569 | .002 | System Services: Service Execution |
Silence has used Winexe to install a service on the remote system.[2][4] |
Enterprise | T1204 | .002 | User Execution: Malicious File |
Silence attempts to get users to launch malicious attachments delivered via spearphishing emails.[1][2][4] |
Enterprise | T1078 | Valid Accounts |
Silence has used compromised credentials to log on to other systems and escalate privileges.[4] |
|
Enterprise | T1125 | Video Capture |
Silence has been observed making videos of victims to observe bank employees day to day activities.[2][4] |