Silence

Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing.[1][2]

ID: G0091
Contributors: Oleg Skulkin, Group-IB
Version: 1.1
Created: 24 May 2019
Last Modified: 23 June 2020

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Silence has used HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKLM\Software\Microsoft\Windows\CurrentVersion\Run, and the Startup folder to establish persistence.[3]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Silence has used Windows command-line to run commands.[1][2][3]

.005 Command and Scripting Interpreter: Visual Basic

Silence has used VBS scripts.[1]

.007 Command and Scripting Interpreter: JavaScript/JScript

Silence has used JS scripts.[1]

.001 Command and Scripting Interpreter: PowerShell

Silence has used PowerShell to download and execute payloads.[1][3]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Silence has deleted artifacts, including scheduled tasks, communicates files from the C2 and other logs.[1][3]

Enterprise T1105 Ingress Tool Transfer

Silence has downloaded additional modules and malware to victim’s machines.[3]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Silence has named its backdoor "WINWORD.exe".[3]

Enterprise T1112 Modify Registry

Silence can create, delete, or modify a specified Registry key or value.[3]

Enterprise T1106 Native API

Silence has leveraged the Windows API, including using CreateProcess() or ShellExecute(), to perform a variety of tasks.[2][3]

Enterprise T1571 Non-Standard Port

Silence has used port 444 when sending data about the system from the client to the server.[3]

Enterprise T1027 Obfuscated Files or Information

Silence has used environment variable string substitution for obfuscation.[1]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Silence has used the Farse6.1 utility (based on Mimikatz) to extract credentials from lsass.exe.[3]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Silence has sent emails with malicious DOCX, CHM, LNK and ZIP attachments. [1][2][3]

Enterprise T1055 Process Injection

Silence has injected a DLL library containing a Trojan into the fwmain32.exe process.[3]

Enterprise T1090 .002 Proxy: External Proxy

Silence has used ProxyBot, which allows the attacker to redirect traffic from the current node to the backconnect server via Sock4\Socks5.[3]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Silence has used RDP for lateral movement.[3]

Enterprise T1018 Remote System Discovery

Silence has used Nmap to scan the corporate network, build a network topology, and identify vulnerable hosts.[3]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Silence has used scheduled tasks to stage its operation.[1]

Enterprise T1113 Screen Capture

Silence can capture victim screen activity.[2][3]

Enterprise T1218 .001 Signed Binary Proxy Execution: Compiled HTML File

Silence has weaponized CHM files in their phishing campaigns.[1][2][4][3]

Enterprise T1072 Software Deployment Tools

Silence has used RAdmin, a remote software tool used to remotely control workstations and ATMs.[3]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Silence has used a valid certificate to sign their primary loader Silence.Downloader (aka TrueBot).[4]

Enterprise T1569 .002 System Services: Service Execution

Silence has used Winexe to install a service on the remote system.[2][3]

Enterprise T1204 .002 User Execution: Malicious File

Silence attempts to get users to launch malicious attachments delivered via spearphishing emails.[1][2][3]

Enterprise T1078 Valid Accounts

Silence has used compromised credentials to log on to other systems and escalate privileges.[3]

Enterprise T1125 Video Capture

Silence has been observed making videos of victims to observe bank employees day to day activities.[2][3]

Software

ID Name References Techniques
S0363 Empire

[4]

Abuse Elevation Control Mechanism: Bypass User Access Control, Access Token Manipulation: Create Process with Token, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Account Discovery: Domain Account, Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Archive Collected Data, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Bookmark Discovery, Clipboard Data, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Command and Scripting Interpreter: PowerShell, Commonly Used Port, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exfiltration Over Web Service: Exfiltration to Code Repository, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Modification, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by Unquoted Path, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Native API, Network Service Scanning, Network Share Discovery, Network Sniffing, Obfuscated Files or Information, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0195 SDelete

[3]

Data Destruction, Indicator Removal on Host: File Deletion, Subvert Trust Controls: Code Signing
S0191 Winexe

[2]

System Services: Service Execution

References