Latest Threat Research: Technical Analysis: Killer Ultra Malware Targeting EDR Products in Ransomware Attacks

Get Informed


Russian-Speaking Hackers Behind Attacks on Pharma and Manufacturing in Europe

Silence/TA505: Malware samples uploaded to VirusTotal in early February are believed to have been used in attacks against pharmaceutical and manufacturing companies in Europe. The uploaded samples were identified as “Silence.ProxyBot” and updated versions of “Silence.MainModule,” leading researchers to attribute these attacks to the threat groups Silence and TA505. Researchers at Group-IB found evidence of TA505 taking part in the attacks when a TinyMet Meterpreter stager compressed with TA505’s custom packer was found. Both the Silence and TA505 groups are Russian-speaking threat actors that have been suspected of working together and sharing tools in the past. Silence normally targets financial institutions, but TA505 has been known to target many different industries. The attackers leveraged two vulnerabilities in Windows 10, CVE-2019-1405 and CVE-2019-1322, to achieve local privilege escalation. Researchers suspect that the intended goal was a ransomware attack on these organizations, which has been utilized by TA505 before.

Analyst Notes

Silence and TA505 have been linked together in the past and believed to have worked together in various campaigns. In this most recent campaign, it is the first time Silence was seen deviating from their normal financial targets. Based on the evidence found, it is possible that Silence was not part of this attack and either sold tools to TA505 or to someone else that used them in this attack. It is common for attackers to sell tools they develop on various hacking forums, which could lead other individuals and groups to possess the same tools as well-known groups and use them in attacks. Attribution in situations like this is difficult and should not be considered to be certain. To defend against advanced threat groups that are capable of evading static defenses, organizations should continuously monitor for signs of attacker behavior in network traffic and on endpoints. Managed Security Service Providers such as Binary Defense Security Operations Center employ skilled security analysts to protect companies against intrusions 24 hours a day, seven days a week.

To read more: