Stolen credentials are used to launch attacks which include the ability to stream live video of the screens of infected users.
A previously unknown but highly organised hacking group is carrying out a series of cyber attacks against banks and financial institutions around the world, deploying trojan malware to gain entry into networks.
The attackers are capable of monitoring everything a victim does in order to provide them with all the information they need to sneak around bank networks and make off with stolen funds.
Uncovered by Kaspersky Lab, the ‘Silence’ hacking group is suspected to be a Russian-speaking operation which has hit at least 10 financial organisations including those in Armenia and Malaysia, but mostly within Russia.
The initial attack techniques of Silence campaigns are similar threat actors including the infamous Carbanak group – initial victims are tricked by phishing emails which give the attackers a foothold into the network. They’ll remain there for a long time, only striking when they have enough information to steal large amounts.
Those behind Silence are appear to be actively targeting banks which have previously been attacked. They use emails from the addresses of real employees who have had accounts compromised – potentially bought from the dark web – to send a phishing email about what looks to be a routine request about opening a customer account.
See also: Cyberwar: A guide to the frightening future of online conflict
It’s the Russian language in the code which has led researchers to the conclusion that the attack group is Russian-speaking.
Once downloaded and installed on the system, the malware allows the attackers to take multiple screenshots of the victim’s active screen, providing a real-time stream.
A similar technique was used by Carbanak to gain an understanding of the victim’s day-to-day activity and points to the ultimate end goal of Silence – obtaining all the information required to eventually steal money.
The malware also includes a Winexecsvc tool which allows the execution of remote commands – useful when it comes to the attackers making their way around the infected network.
Researchers note that this particular campaign has been successful in attacking financial institutions, no matter where in the world they’re based or what the network infrastructure looks like.
“We have seen this trend growing recently, as more and more slick and professional APT-style cyber-robberies emerge and succeed. The most worrying thing here is that due to their in-the-shadow approach, these attacks may succeed regardless of the peculiarities of each bank’s security architecture,” said Sergey Lozhkin, security expert at Kaspersky Lab.
While Silence uses very similar techniques to the Carbanak group – which has stolen more than $1 billion from banks worldwide – it’s still uncertain if the two groups are at all related.
Researchers have warned the the attacks are still ongoing.