Silence: The financially-motivated hacking group Silence has advanced its tactics to continue carrying out attacks to lower their chance of being detected. The group was first seen in 2012 and has continued to evolve, this time improving their malware and operational security. The group has been seen active in over 30 countries in every continent. The group has re-written its module called “Silence.Downloader/Truebot” and begun using a fileless PowerShell loader called Ivoke. Lateral movement within networks is carried out by a new PowerShell agent called EmpireDNSAgent (EDA) which is based on the Empire framework, which recently has been abandoned. For reconnaissance, the group began sending out emails, which contained no malicious files but are used to get a current list of active emails. After the email is verified, Silence will begin sending out group specific malware that is followed by lateral movement. In the final stage of the attack, Silence will reach the card processing machines which allows them to control ATM’s using the ‘xfs-disp.exe’ trojan, which dispenses the cash to money mules. The group has been heavily focused on the Russia financial sector in recent months.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased