Experts have discovered a new targeted attack using a Trojan by the name of Silence against financial institutions.
Russian banks are first in the line of fire, but Malaysian and Armenian organizations have also been infected.
Tactically, the attack is very similar to the canonical financial APT campaign, the notorious Carbanak: a phishing e-mail with a malicious attachment sent to employees of banks and financial organizations, followed by spying on employees and then, suddenly, a fraudulent transaction. This proven method has already brought its operators billions of dollars, so why not try it again? This time around, however, the attackers have perfected the e-mail hook. Having infected and firmly infiltrated the infrastructure of an organization, the attackers start e-mailing “contracts” to the bank’s partners.
The next victim receives a phishing message from the address of a real person who works at the bank. This greatly increases the likelihood of a malicious attachment being clicked.
How Silence works
The modules let the attackers collect data about the infected network and record images from employees’ screens. At first, they monitor everyone, but then they shift focus to those most likely to possess useful financial information. Once the intruders have a thorough understanding of how the victim’s information systems work, they give the order to transfer funds to their own accounts. Technical details and IOCs can be found in this Securelist post.
How to protect your business against a Silence attack
As you can see, reminding employees not to open attachments from external e-mails is not sufficient. To protect financial institutions against modern-day cyberthreats, we recommend:
Download SafeUM — communicate privately, without advertising and spam.