The new group has been called Silence by researchers at Kaspersky Lab who recently published a report about the criminals’ activities, which bear a sharp resemblance to Carbanak. But the relationship apparently ends at imitation.
“They are not Carbanak,” said Kaspersky Lab researcher Sergey Lozhkin. “They are using some of the same techniques at some points, but that’s it.” Kaspersky Lab said it did not have information on the gang’s success, nor how much it had stolen to date. The attacks, however, are ongoing, the researchers said.
The researchers called the group’s attacks “targeted,” using spear phishing and a number of different means to maintain persistence on a bank’s internal network, monitor employee and system activities, and eventually stealing money.
The spear-phishing emails contain attachments that eventually download and execute a dropper that reaches out to the attacker’s infrastructure. The backdoor is used to send system information and execute malicious code that uploads data, steals credentials and initiates tasks such as screen recording, which was a hallmark of Carbanak.
Silence, like Carbanak, uses these screen grabs to essentially create a video recording of daily activity on employees’ computers, amassing knowledge about internal processes before stealing money. “We saw that technique before in Carbanak, and other similar cases worldwide,” Kaspersky Lab said in its report.
Kaspersky Lab said that the Silence gang’s spear-phishing emails are sent from an already-compromised financial network.
“The cyber-criminals using Silence send spear-phishing emails as initial infection vectors, often using the addresses of employees of an already infected financial institution, with a request to open an account in the attacked bank,” Kaspersky Lab’s report said. “The message looks like a routine request. Using this social engineering trick, it looks unsuspicious to the receiver.”
Source: Cyber Security Intelligence