Incident Of The Week: Silence Trojan Records Financial Info

Dan Gunderman

In the dynamic world of cyber security, breaches are both tightly guarded and, sadly, imminent.

Combing through data, market research and threat-defense efforts taken by enterprises can be a daunting task. Here at Cyber Security Hub, we both track the latest industry news and make it more navigable for the IT professional. CSHub coverage extends outwards – as it helps enterprises batten down their proverbial hatches.

In this edition of “Incident of the Week,” we examine the Silence Trojan which appears poised to rob financial institutions in Russia, Armenia, Malaysia, and beyond.

The threat was reportedly discovered by researchers at the Kaspersky Lab in September. Kaspersky’s GReAT investigation team said that most of the offensives have been leveled at Russia.

The Trojan’s repertoire appears to mimic that of the Eastern European Carbanak group – which was deemed an advanced persistent threat (APT) that utilized spear phishing malware practices and a Trojan backdoor to lord over sensitive financial information and even gain remote access. Carbanak placed Russian institutions within its crosshairs – but reached as far as Denmark and the U.S.

See related: Incident Of The Week: Research Reports Hacked At Forrester

After a period of close monitoring, Carbanak hounds obtained sufficient information and covertly tapped into banks’ coffers. In fact, it siphoned about $1 billion over two years – at 100 different banks over a wide territory.

There is no defined connection between Silence and Carbanak, although the outward similarities are there. Nevertheless, a multi-step procedure gains Silence black hats access to information it’s deemed profitable.

First, a Silence hacker gains access to an employee’s email account. This occurs via leaked data or malware entrance. Using spear phishing techniques, the hackers look to expand their corrupted network to other computers, with the hopes of gaining access to financial management systems.

According to Bleeping Computer, the phishing emails contain a CHM (compiled HTML) file attachment that, if opened, runs JavaScript commands which pull in malware. Following this “dropper” stage, data is collected and shipped over to the hackers’ command and control (C&C) servers.

See related: NotPetya Costs Merck, FedEx, Maersk $800M

If the respective computer is recruited into the ring of infected devices, the second stage begins – and that is the Silence Trojan itself. One module sets up camp and takes repeated screenshots of the user’s activity. The next module uses Windows administration tools to record all onscreen activity. Resulting bitmaps create a “pseudo-video stream” so the controllers can pounce on accounts and management systems, at will.

Collected research on the Trojan suggests that its administrators speak Russian. The value of seized money is currently unknown, as is the relationship between Silence and Carbanak, if any.

Those tasked with enterprise security oversight sure have their hands full, but it is certainly best to know the warning signs – before their lock is picked.