Home > Cyber News > Silence Trojan – the Latest Carbanak-Like Malware Against Banks

Silence Trojan – the Latest Carbanak-Like Malware Against Banks

Silence is the name of a new Trojan (and the hacking group behind it), discovered in September by Kaspersky Lab researchers. The targeted attack is set against financial institutions, and at this point its victims are primarily Russian banks, as well as organizations in Malaysia and Armenia.

Threat Summary

Name Silence Trojan
Type Banking Trojan
Short Description The Trojan is gaining persistent access to internal banking networks, making video recordings of daily activities of the bank’s employee machines.
Symptoms Silence Trojan main feature is its ability to take repeated screenshots, taken at small intervals, of the victim’s desktop. It has been built with the idea to stay undetected on targeted systems.
Distribution Method Spear-phishing emails
Detection Tool See If Your System Has Been Affected by malware


Malware Removal Tool

User Experience Join Our Forum to Discuss Silence Trojan.
Data Recovery Tool Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

In these attacks, Silence’s authors were using a very efficient hacking technique – gaining persistent access to internal banking networks, making video recordings of daily activities of the bank’s employee machines, thus acquiring knowledge on how the software is being used. This knowledge was later applied to steal as much money as possible.

It is worth mentioning that researchers have previously observed this technique in Carbanak targeted operations. As explained in the original report, the infection vector is a spear-phishing email with a malicious attachment. A noteworthy stage from the Silence attack is that the cybercriminals had already compromised the banking infrastructure in order to send their spear-phishing emails from the addresses of real bank employees so that they look as unsuspicious as possible to future victims.

Related Story: Ordinaff Banking Trojan Is in the Hands of Capable Criminals

Malicious .chm Attachment Part of Silence Trojan’s Campaign

The attachment detected in these latest campaigns has been identified as a Microsoft Compiled HTML Help file. This is a Microsoft proprietary online help format that consists of a collection of HTML pages, indexing and other navigation tools, researchers explain. These files are compressed and deployed in a binary format with the .CHM (compiled HTML) extension. They are highly interactive and can run a series of technologies such as JavaScript. The files can redirect a victim towards an external URL after simply opening the CHM.

Once the attachment is opened by the victim, the embedded .htm content file (“start.htm”) is executed. This file contains JavaScript, and its goal is to download and execute another stage from a hardcoded URL.

Shortly said, the spear-phishing emails sent out to victims, they contain a CHM (compiled HTML) file attachment. Upon downloading and opening the attachment, the CHM file will run JavaScript commands set to download and install a malicious payload known as a dropper. In the case of the Silence Trojan attack, this payload has been identified as a Win32 executable deployed to collect data on infected hosts. The collected data is typically sent to the attackers’ C&C servers.

At a later stage, when a targeted machine is outlined as valuable to the operation, the attackers send a second-stage payload – the Silence Trojan itself.

Silence Trojan – Technical Specifications

Silence Trojan main feature is its ability to take repeated screenshots, taken at small intervals, of the victim’s desktop. The screenshots are then uploaded to the C&C server where a real-time pseudo-video stream is created.

Why are the Trojan’s authors using screenshots instead of a video? They may have chosen this way of recording employees’ activities because it uses less computer resources and helps the Trojan remain undetected. This may be the reason the operation is called Silence.

Once all the data is collected, the cybercriminals can review the screenshots to locate valuable data such as finding URLs of internal money management systems, to continue their operation.

Related Story: TrickBot Banking Trojan Updated. WannaCry-Inspired Module Now Active

The final stage of the operation is built around the exploitation of legitimate Windows administration tools to masquerade the Trojan in its final phase. This technique has been previously used by Carbanak.

The best way to protect against targeted attacks on financial organizations is to deploy advanced detection capabilities found in a solution that can detect all types of anomalies and also scrutinize suspicious files at a deeper level, researchers say.


Malware Removal Tool

SpyHunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree