Silence/TA505: Malware samples uploaded to VirusTotal in early February are believed to have been used in attacks against pharmaceutical and manufacturing companies in Europe. The uploaded samples were identified as “Silence.ProxyBot” and updated versions of “Silence.MainModule,” leading researchers to attribute these attacks to the threat groups Silence and TA505. Researchers at Group-IB found evidence of TA505 taking part in the attacks when a TinyMet Meterpreter stager compressed with TA505’s custom packer was found. Both the Silence and TA505 groups are Russian-speaking threat actors that have been suspected of working together and sharing tools in the past. Silence normally targets financial institutions, but TA505 has been known to target many different industries. The attackers leveraged two vulnerabilities in Windows 10, CVE-2019-1405 and CVE-2019-1322, to achieve local privilege escalation. Researchers suspect that the intended goal was a ransomware attack on these organizations, which has been utilized by TA505 before.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased