Organised Crime Group, Silence have initiated a large-scale attack on Russian banks, sending thousands of malicious emails to employees.
Silence sent out 80,000 malicious phishing emails to employees who work at Russian banks, and various institutions, such as credit, financial and payment system entities.
Silence have gone undetected for years, with attacks dating back to 2016. The group specifically targets Russian speaking banks. Their typical modus operandi is to steal from various banking systems, including AWS CBR, ATM’s and card processing systems.
During January 16th, the group began sending out phishing emails regarding a legitimate event “Forum iFin-2019”. The event is the XIX International Forum “Electronic Financial Services and Technologies” (iFin-2019), organised by the Association of Russian Banks and AIFM Media. Which is planned to be held on the 19th-20th of February.
Within the email, there was a zip file attached to the emails with included an invitation to the event, as well as a malicious attachment named “Silence.Downloader” which is also known as “TrueBot“.
This malware takes screenshots of the victims desktop which can then aid the group in escalating privileges if sufficient information has been gathered. Group-IB emphasise that this malware is specifically used by Silence.
Hours prior to Silence sending out the thousands of malicious emails, the official organisers of the XIX (iFin-2019) sent out emails announcing the event via email.
During 2018, Silence siphoned around $700,000 dollars from ATM’s in 2 attacks within 3 months. Showing their ability to conduct successful attacks on banking systems, multiple times.
Group-IB’s expert in cyber intelligence, Rustam Mirkasymov, has commented that Silence is “one of the most dangerous Russian speaking groups”. Putting them into the same league as groups such as, Cobalt and MoneyTaker.