A cybercrime outfit stealing from as many as 10 banks in Russia, Armenia and Malaysia has borrowed heavily from one of the kingpins in this realm, Carbanak, which is alleged to have stolen possibly as much as $1 billion worldwide from financial organizations.
The new group has been called Silence by researchers at Kaspersky Lab who today published a report about the criminals’ activities, which bare a sharp resemblance to Carbanak. But the relationship apparently ends at imitation.
“They are not Carbanak,” said Kaspersky Lab researcher Sergey Lozhkin. “[They are] using some of the same techniques at some points, but that’s it.”
Kaspersky Lab said it did not have information on the gang’s success, nor how much it had stolen to date. The attacks, however, are ongoing, the researchers said.
The researchers called the group’s attacks “targeted,” using spear phishing and a number of different means to maintain persistence on a bank’s internal network, monitor employee and system activities, and eventually stealing money.
“We have seen this trend growing recently, as more and more slick and professional APT-style cyber-robberies emerge and succeed,” Lozhkin said. “The most worrying thing here is that due to their in-the-shadow approach, these attacks may succeed regardless of the peculiarities of each bank’s security architecture.”
The spear-phishing emails contain attachments that eventually download and execute a dropper that reaches out to the attacker’s infrastructure. The backdoor is used to send system information and execute malicious code that uploads data, steals credentials and initiates tasks such as screen recording, which was a hallmark of Carbanak.
Silence, like Carbanak, uses these screen grabs to essentially create a video recording of daily activity on employees’ computers, amassing knowledge about internal processes before stealing money.
“We saw that technique before in Carbanak, and other similar cases worldwide,” Kaspersky Lab said in its report.
Kaspersky Lab said that the Silence gang’s spear-phishing emails are sent from an already-compromised financial network.
“The cybercriminals using Silence send spear-phishing emails as initial infection vectors, often using the addresses of employees of an already infected financial institution, with a request to open an account in the attacked bank,” Kaspersky Lab’s report said. “The message looks like a routine request. Using this social engineering trick, it looks unsuspicious to the receiver.”
Silence also makes use of a proprietary Microsoft online help format called Microsoft Compiled HTML Help, or CHM. CHM files are interactive and can run JavaScript, for example, which the attackers use to redirect victims to external URLs.
“Attackers began exploiting CHM files to automatically run malicious payloads once the file is accessed. Once the attachment is opened by the victim, the embedded .htm content file (“start.htm”) is executed,” Kaspersky Lab said. “This file contains JavaScript, and its goal is to download and execute another stage from a hardcoded URL.”
Once the dropper is unpacked and executed from the attacker’s command and control server, a number of payload modules are dropped that spy on systems and employees. One of those modules is the screen monitor, which uses the Windows GDI and API tools to record screen activity using the CreateCompatibleBitmap and GdipCreateBitmapFromHBITMAP functions, Kaspersky Lab said.
The researchers published a list of file names and hashes for the various malware components uncovered.