Register to stream ATT&CKcon 2.0 October 29-30

Silence

Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing. [1][2]

ID: G0091
Contributors: Oleg Skulkin, Group-IB
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface Silence has used Windows command-line to run commands. [1] [2]
Enterprise T1223 Compiled HTML File Silence has weaponized CHM files in their phishing campaigns. [1] [2]
Enterprise T1106 Execution through API Silence leverages the Windows API to perform a variety of tasks. [2]
Enterprise T1107 File Deletion Silence deleted scheduled task files after its execution. [1]
Enterprise T1027 Obfuscated Files or Information Silence has used environment variable string substitution for obfuscation. [1]
Enterprise T1053 Scheduled Task Silence has used scheduled tasks to stage its operation. [1]
Enterprise T1113 Screen Capture Silence can capture victim screen activity. [2]
Enterprise T1064 Scripting Silence has used JS, VBS, and PowerShell scripts. [1]
Enterprise T1035 Service Execution Silence has used Winexe to install a service on the remote system. [2]
Enterprise T1193 Spearphishing Attachment Silence has sent emails with malicious DOCX, CHM and ZIP attachments. [1] [2]
Enterprise T1204 User Execution Silence attempts to get users to launch malicious attachments delivered via spearphishing emails. [1] [2]
Enterprise T1125 Video Capture Silence has been observed making videos of victims to observe bank employees day to day activities. [2]

Software

ID Name References Techniques
S0191 Winexe [2] Service Execution

References