Silence: The financially-motivated hacking group Silence has advanced its tactics to continue carrying out attacks to lower their chance of being detected. The group was first seen in 2012 and has continued to evolve, this time improving their malware and operational security. The group has been seen active in over 30 countries in every continent. The group has re-written its module called “Silence.Downloader/Truebot” and begun using a fileless PowerShell loader called Ivoke. Lateral movement within networks is carried out by a new PowerShell agent called EmpireDNSAgent (EDA) which is based on the Empire framework, which recently has been abandoned. For reconnaissance, the group began sending out emails, which contained no malicious files but are used to get a current list of active emails. After the email is verified, Silence will begin sending out group specific malware that is followed by lateral movement. In the final stage of the attack, Silence will reach the card processing machines which allows them to control ATM’s using the ‘xfs-disp.exe’ trojan, which dispenses the cash to money mules. The group has been heavily focused on the Russia financial sector in recent months.
Analyst Notes
Based on the recent reports of Silence, the group will likely continue to advance their techniques and continue to evade detection. Through the use of money mules, the group is able to stay anonymous, and never have their face shown on camera when walking up to an ATM and stealing the money.
