Silence Trojan - the Latest Carbanak-Like Malware Against Banks
NEWS

Silence Trojan – the Latest Carbanak-Like Malware Against Banks

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by Silence Trojan and other threats.
Threats such as Silence Trojan may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

Silence is the name of a new Trojan (and the hacking group behind it), discovered in September by Kaspersky Lab researchers. The targeted attack is set against financial institutions, and at this point its victims are primarily Russian banks, as well as organizations in Malaysia and Armenia.

Threat Summary

NameSilence Trojan
TypeBanking Trojan
Short DescriptionThe Trojan is gaining persistent access to internal banking networks, making video recordings of daily activities of the bank’s employee machines.
SymptomsSilence Trojan main feature is its ability to take repeated screenshots, taken at small intervals, of the victim’s desktop. It has been built with the idea to stay undetected on targeted systems.
Distribution MethodSpear-phishing emails
Detection Tool See If Your System Has Been Affected by Silence Trojan

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Silence Trojan.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

In these attacks, Silence’s authors were using a very efficient hacking technique – gaining persistent access to internal banking networks, making video recordings of daily activities of the bank’s employee machines, thus acquiring knowledge on how the software is being used. This knowledge was later applied to steal as much money as possible.

It is worth mentioning that researchers have previously observed this technique in Carbanak targeted operations. As explained in the original report, the infection vector is a spear-phishing email with a malicious attachment. A noteworthy stage from the Silence attack is that the cybercriminals had already compromised the banking infrastructure in order to send their spear-phishing emails from the addresses of real bank employees so that they look as unsuspicious as possible to future victims.

Related Story: Ordinaff Banking Trojan Is in the Hands of Capable Criminals

Malicious .chm Attachment Part of Silence Trojan’s Campaign

The attachment detected in these latest campaigns has been identified as a Microsoft Compiled HTML Help file. This is a Microsoft proprietary online help format that consists of a collection of HTML pages, indexing and other navigation tools, researchers explain. These files are compressed and deployed in a binary format with the .CHM (compiled HTML) extension. They are highly interactive and can run a series of technologies such as JavaScript. The files can redirect a victim towards an external URL after simply opening the CHM.

Once the attachment is opened by the victim, the embedded .htm content file (“start.htm”) is executed. This file contains JavaScript, and its goal is to download and execute another stage from a hardcoded URL.

Shortly said, the spear-phishing emails sent out to victims, they contain a CHM (compiled HTML) file attachment. Upon downloading and opening the attachment, the CHM file will run JavaScript commands set to download and install a malicious payload known as a dropper. In the case of the Silence Trojan attack, this payload has been identified as a Win32 executable deployed to collect data on infected hosts. The collected data is typically sent to the attackers’ C&C servers.

At a later stage, when a targeted machine is outlined as valuable to the operation, the attackers send a second-stage payload – the Silence Trojan itself.


Silence Trojan – Technical Specifications

Silence Trojan main feature is its ability to take repeated screenshots, taken at small intervals, of the victim’s desktop. The screenshots are then uploaded to the C&C server where a real-time pseudo-video stream is created.

Why are the Trojan’s authors using screenshots instead of a video? They may have chosen this way of recording employees’ activities because it uses less computer resources and helps the Trojan remain undetected. This may be the reason the operation is called Silence.

Once all the data is collected, the cybercriminals can review the screenshots to locate valuable data such as finding URLs of internal money management systems, to continue their operation.

Related Story: TrickBot Banking Trojan Updated. WannaCry-Inspired Module Now Active

The final stage of the operation is built around the exploitation of legitimate Windows administration tools to masquerade the Trojan in its final phase. This technique has been previously used by Carbanak.

The best way to protect against targeted attacks on financial organizations is to deploy advanced detection capabilities found in a solution that can detect all types of anomalies and also scrutinize suspicious files at a deeper level, researchers say.

Download

Malware Removal Tool


SpyHunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...