Security researchers ar Kaspersky Lab have discovered a new widescale cyber attack targeting the banking sector. Most of the victims were Russian banks, but the attacks have been also detected in Armenian and Malaysian financial institutions.
Attackers use a well-known, but still very effective tactic – they silently get access to the internal banking network and hide inside it. While the instrusion is not detected by security systems, cybercriminals start to study the internal infrastructure of the bank’s network and remotely record computers screens of the bank’s stuff. Once the bank’s software is analyzed, cybercriminals perform a transfer of funds.
This technique was successfully used by Carbanak group and by some other hackers. The attackers infect banking networks using targeted emails with malicious attachments. Hackers use the infrastructure of previously infected banks by sending malicious messages to new victims from real emails of bank employees. This method significantly increases the chances of intrusion.
Security experts have identified a few main modules of the Silence Trojan designed for various purposes (monitoring and control, recording the screen activity, communication with C&C server). All of the modules start as Windows services.
Moreover, Winexesvc application was detected on a number of infected computers. This program is not harmful, but it can be used by cybercriminals as a post-operation tool. Winexesvc is an analog of well-known Psexec program which allows to execute system commands remotely using Windows console.