The Modern Form of Bank Robbery: Cyber Criminals Steal $1Billion

A cybercrime outfit stealing from as many as 10 banks in Russia, Armenia and Malaysia is alleged to have stolen possibly as much as $1 billion worldwide from financial organisations.

The new group has been called Silence by researchers at Kaspersky Lab who recently published a report about the criminals’ activities, which bear a sharp resemblance to Carbanak. But the relationship apparently ends at imitation.

“They are not Carbanak,” said Kaspersky Lab researcher Sergey Lozhkin. “They are using some of the same techniques at some points, but that’s it.” Kaspersky Lab said it did not have information on the gang’s success, nor how much it had stolen to date. The attacks, however, are ongoing, the researchers said.

The researchers called the group’s attacks “targeted,” using spear phishing and a number of different means to maintain persistence on a bank’s internal network, monitor employee and system activities, and eventually stealing money.

The spear-phishing emails contain attachments that eventually download and execute a dropper that reaches out to the attacker’s infrastructure. The backdoor is used to send system information and execute malicious code that uploads data, steals credentials and initiates tasks such as screen recording, which was a hallmark of Carbanak.

Silence, like Carbanak, uses these screen grabs to essentially create a video recording of daily activity on employees’ computers, amassing knowledge about internal processes before stealing money. “We saw that technique before in Carbanak, and other similar cases worldwide,” Kaspersky Lab said in its report.

Kaspersky Lab said that the Silence gang’s spear-phishing emails are sent from an already-compromised financial network.

“The cyber-criminals using Silence send spear-phishing emails as initial infection vectors, often using the addresses of employees of an already infected financial institution, with a request to open an account in the attacked bank,” Kaspersky Lab’s report said. “The message looks like a routine request. Using this social engineering trick, it looks unsuspicious to the receiver.”

Silence also makes use of a proprietary Microsoft online help format called Microsoft Compiled HTML Help, or CHM. CHM files are interactive and can run JavaScript, for example, which the attackers use to redirect victims to external URLs.