Silence

Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing.^[1]^[2]

ID: G0091

ⓘ

Associated Groups: Whisper Spider

Contributors: Oleg Skulkin, Group-IB

Version: 2.2

Created: 24 May 2019

Last Modified: 22 March 2023

Version Permalink

Live Version

Associated Group Descriptions

Name	Description
Whisper Spider	^[3]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Silence has used `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`, `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`, and the Startup folder to establish persistence.^[4]
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	Silence has used PowerShell to download and execute payloads.^[1]^[4]
		.003	Command and Scripting Interpreter: Windows Command Shell	Silence has used Windows command-line to run commands.^[1]^[2]^[4]
		.005	Command and Scripting Interpreter: Visual Basic	Silence has used VBS scripts.^[1]
		.007	Command and Scripting Interpreter: JavaScript	Silence has used JS scripts.^[1]
Enterprise	T1070	.004	Indicator Removal: File Deletion	Silence has deleted artifacts, including scheduled tasks, communicates files from the C2 and other logs.^[1]^[4]
Enterprise	T1105		Ingress Tool Transfer	Silence has downloaded additional modules and malware to victim’s machines.^[4]
Enterprise	T1036	.005	Masquerading: Match Legitimate Name or Location	Silence has named its backdoor "WINWORD.exe".^[4]
Enterprise	T1112		Modify Registry	Silence can create, delete, or modify a specified Registry key or value.^[4]
Enterprise	T1106		Native API	Silence has leveraged the Windows API, including using CreateProcess() or ShellExecute(), to perform a variety of tasks.^[2]^[4]
Enterprise	T1571		Non-Standard Port	Silence has used port 444 when sending data about the system from the client to the server.^[4]
Enterprise	T1027	.010	Obfuscated Files or Information: Command Obfuscation	Silence has used environment variable string substitution for obfuscation.^[1]
Enterprise	T1588	.002	Obtain Capabilities: Tool	Silence has obtained and modified versions of publicly-available tools like Empire and PsExec.^[5] ^[2]
Enterprise	T1003	.001	OS Credential Dumping: LSASS Memory	Silence has used the Farse6.1 utility (based on Mimikatz) to extract credentials from lsass.exe.^[4]
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	Silence has sent emails with malicious DOCX, CHM, LNK and ZIP attachments. ^[1]^[2]^[4]
Enterprise	T1055		Process Injection	Silence has injected a DLL library containing a Trojan into the fwmain32.exe process.^[4]
Enterprise	T1090	.002	Proxy: External Proxy	Silence has used ProxyBot, which allows the attacker to redirect traffic from the current node to the backconnect server via Sock4\Socks5.^[4]
Enterprise	T1021	.001	Remote Services: Remote Desktop Protocol	Silence has used RDP for lateral movement.^[4]
Enterprise	T1018		Remote System Discovery	Silence has used Nmap to scan the corporate network, build a network topology, and identify vulnerable hosts.^[4]
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	Silence has used scheduled tasks to stage its operation.^[1]
Enterprise	T1113		Screen Capture	Silence can capture victim screen activity.^[2]^[4]
Enterprise	T1072		Software Deployment Tools	Silence has used RAdmin, a remote software tool used to remotely control workstations and ATMs.^[4]
Enterprise	T1553	.002	Subvert Trust Controls: Code Signing	Silence has used a valid certificate to sign their primary loader Silence.Downloader (aka TrueBot).^[5]
Enterprise	T1218	.001	System Binary Proxy Execution: Compiled HTML File	Silence has weaponized CHM files in their phishing campaigns.^[1]^[2]^[5]^[4]
Enterprise	T1569	.002	System Services: Service Execution	Silence has used Winexe to install a service on the remote system.^[2]^[4]
Enterprise	T1204	.002	User Execution: Malicious File	Silence attempts to get users to launch malicious attachments delivered via spearphishing emails.^[1]^[2]^[4]
Enterprise	T1078		Valid Accounts	Silence has used compromised credentials to log on to other systems and escalate privileges.^[4]
Enterprise	T1125		Video Capture	Silence has been observed making videos of victims to observe bank employees day to day activities.^[2]^[4]

Software

ID	Name	References	Techniques
S0363	Empire	^[5]	Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Access Token Manipulation: Create Process with Token, Account Discovery: Domain Account, Account Discovery: Local Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data, Automated Collection, Automated Exfiltration, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Browser Information Discovery, Clipboard Data, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain or Tenant Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Code Repository, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Discovery, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Dylib Hijacking, Hijack Execution Flow: DLL Search Order Hijacking, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Native API, Network Service Discovery, Network Share Discovery, Network Sniffing, Obfuscated Files or Information: Command Obfuscation, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0195	SDelete	^[4]	Data Destruction, Indicator Removal: File Deletion
S0191	Winexe	^[2]	System Services: Service Execution

Silence

Associated Group Descriptions

Enterprise Layer

Techniques Used

Software

References