The Silence Trojan attacks Russian, Armenian and Malaysian banks

0
41

Security researchers ar Kaspersky Lab have discovered a new widescale cyber attack targeting the banking sector. Most of the victims were Russian banks, but the attacks have been also detected in Armenian and Malaysian financial institutions.

Attackers use a well-known, but still very effective tactic – they silently get access to the internal banking network and hide inside it. While the instrusion is not detected by security systems, cybercriminals start to study the internal infrastructure of the bank’s network and remotely record computers screens of the bank’s stuff. Once the bank’s software is analyzed, cybercriminals perform a transfer of funds.

This technique was successfully used by Carbanak group and by some other hackers. The attackers infect banking networks using targeted emails with malicious attachments. Hackers use the infrastructure of previously infected banks by sending malicious messages to new victims from real emails of bank employees. This method significantly increases the chances of intrusion.

A malicious attachment is sent to victims as a CHM document (Microsoft Compiled HTML Help – proprietary online help format). In fact, CHM document consists of a collection of HTML pages compressed and packed in a single file. This file format is interactive and can use Javascript technology to redirect the user to an external URL (when a user simply opens the file).

Once a victim opens a malicious attachment, the CHM start.htm file is automatically launched. This file contains a malicious Javascript code which automatically downloads and starts a VBS script. This script in its turn downloads a dropper file to the infected computer.

Security experts have identified a few main modules of the Silence Trojan designed for various purposes (monitoring and control, recording the screen activity, communication with C&C server). All of the modules start as Windows services.

Moreover, Winexesvc application was detected on a number of infected computers. This program is not harmful, but it can be used by cybercriminals as a post-operation tool. Winexesvc is an analog of well-known Psexec program which allows to execute system commands remotely using Windows console.

LEAVE A REPLY

Please enter your comment!
Please enter your name here