Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing. (Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)
Platform | Tactic | Technique | Description | Data Sources |
---|---|---|---|---|
Windows, macOS, Linux | initial-access | Spearphishing Attachment | Silence has sent emails with malicious DOCX, CHM and ZIP attachments. | File monitoring, Packet capture, Network intrusion detection system, Detonation chamber, Email gateway, Mail server |
Windows | execution, persistence, privilege-escalation | Scheduled Task | Silence has used scheduled tasks to stage its operation. | File monitoring, Process monitoring, Process command-line parameters, Windows event logs |
Linux, macOS, Windows | defense-evasion, execution | Scripting | Silence has used JS, VBS, and PowerShell scripts. | Process monitoring, File monitoring, Process command-line parameters |
Windows | execution | Service Execution | Silence has used Winexe to install a service on the remote system. | Windows Registry, Process monitoring, Process command-line parameters |
Linux, macOS, Windows | execution | Command-Line Interface | Silence has used Windows command-line to run commands. | Process monitoring, Process command-line parameters |
Linux, Windows, macOS | execution | User Execution | Silence attempts to get users to launch malicious attachments delivered via spearphishing emails. | Anti-virus, Process command-line parameters, Process monitoring |
Windows | defense-evasion, execution | Compiled HTML File | Silence has weaponized CHM files in their phishing campaigns. | File monitoring, Process monitoring, Process command-line parameters |
Windows | execution | Execution through API | Silence leverages the Windows API to perform a variety of tasks. | API monitoring, Process monitoring |
Linux, macOS, Windows | defense-evasion | Obfuscated Files or Information | Silence has used environment variable string substitution for obfuscation. | Network protocol analysis, Process use of network, File monitoring, Malware reverse engineering, Binary file metadata, Process command-line parameters, Environment variable, Process monitoring, Windows event logs, Network intrusion detection system, Email gateway, SSL/TLS inspection |
Linux, macOS, Windows | defense-evasion | File Deletion | Silence deleted scheduled task files after its execution. | File monitoring, Process command-line parameters, Binary file metadata |
Linux, macOS, Windows | collection | Screen Capture | Silence can capture victim screen activity. | API monitoring, Process monitoring, File monitoring |
Windows, macOS | collection | Video Capture | Silence has been observed making videos of victims to observe bank employees day to day activities. | Process monitoring, File monitoring, API monitoring |