Silence

Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing.^[1]^[2]

ID: G0091

ⓘ

Associated Groups: Whisper Spider

Contributors: Oleg Skulkin, Group-IB

Version: 2.2

Created: 24 May 2019

Last Modified: 22 March 2023

Associated Group Descriptions

Name	Description
Whisper Spider	^[3]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1090	.002	代理: External Proxy	Silence has used ProxyBot, which allows the attacker to redirect traffic from the current node to the backconnect server via Sock4\Socks5.^[4]
Enterprise	T1036	.005	伪装: Match Legitimate Name or Location	Silence has named its backdoor "WINWORD.exe".^[4]
Enterprise	T1112		修改注册表	Silence can create, delete, or modify a specified Registry key or value.^[4]
Enterprise	T1547	.001	启动或登录自动启动执行: Registry Run Keys / Startup Folder	Silence has used `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`, `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`, and the Startup folder to establish persistence.^[4]
Enterprise	T1059	.001	命令与脚本解释器: PowerShell	Silence has used PowerShell to download and execute payloads.^[1]^[4]
		.003	命令与脚本解释器: Windows Command Shell	Silence has used Windows command-line to run commands.^[1]^[2]^[4]
		.005	命令与脚本解释器: Visual Basic	Silence has used VBS scripts.^[1]
		.007	命令与脚本解释器: JavaScript	Silence has used JS scripts.^[1]
Enterprise	T1113		屏幕捕获	Silence can capture victim screen activity.^[2]^[4]
Enterprise	T1003	.001	操作系统凭证转储: LSASS Memory	Silence has used the Farse6.1 utility (based on Mimikatz) to extract credentials from lsass.exe.^[4]
Enterprise	T1078		有效账户	Silence has used compromised credentials to log on to other systems and escalate privileges.^[4]
Enterprise	T1106		本机API	Silence has leveraged the Windows API, including using CreateProcess() or ShellExecute(), to perform a variety of tasks.^[2]^[4]
Enterprise	T1027	.010	混淆文件或信息: Command Obfuscation	Silence has used environment variable string substitution for obfuscation.^[1]
Enterprise	T1204	.002	用户执行: Malicious File	Silence attempts to get users to launch malicious attachments delivered via spearphishing emails.^[1]^[2]^[4]
Enterprise	T1070	.004	移除指标: File Deletion	Silence has deleted artifacts, including scheduled tasks, communicates files from the C2 and other logs.^[1]^[4]
Enterprise	T1218	.001	系统二进制代理执行: Compiled HTML File	Silence has weaponized CHM files in their phishing campaigns.^[1]^[2]^[5]^[4]
Enterprise	T1569	.002	系统服务: Service Execution	Silence has used Winexe to install a service on the remote system.^[2]^[4]
Enterprise	T1588	.002	获取能力: Tool	Silence has obtained and modified versions of publicly-available tools like Empire and PsExec.^[5] ^[2]
Enterprise	T1125		视频捕获	Silence has been observed making videos of victims to observe bank employees day to day activities.^[2]^[4]
Enterprise	T1072		软件部署工具	Silence has used RAdmin, a remote software tool used to remotely control workstations and ATMs.^[4]
Enterprise	T1105		输入工具传输	Silence has downloaded additional modules and malware to victim’s machines.^[4]
Enterprise	T1055		进程注入	Silence has injected a DLL library containing a Trojan into the fwmain32.exe process.^[4]
Enterprise	T1021	.001	远程服务: Remote Desktop Protocol	Silence has used RDP for lateral movement.^[4]
Enterprise	T1018		远程系统发现	Silence has used Nmap to scan the corporate network, build a network topology, and identify vulnerable hosts.^[4]
Enterprise	T1566	.001	钓鱼: Spearphishing Attachment	Silence has sent emails with malicious DOCX, CHM, LNK and ZIP attachments. ^[1]^[2]^[4]
Enterprise	T1571		非标准端口	Silence has used port 444 when sending data about the system from the client to the server.^[4]
Enterprise	T1053	.005	预定任务/作业: Scheduled Task	Silence has used scheduled tasks to stage its operation.^[1]
Enterprise	T1553	.002	颠覆信任控制: Code Signing	Silence has used a valid certificate to sign their primary loader Silence.Downloader (aka TrueBot).^[5]

Software

ID	Name	References	Techniques
S0363	Empire	^[5]	Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 事件触发执行: Accessibility Features, 从密码存储中获取凭证: Credentials from Web Browsers, 使用备用认证材料: Pass the Hash, 创建或修改系统进程: Windows Service, 创建账户: Local Account, 创建账户: Domain Account, 剪贴板数据, 加密通道: Asymmetric Cryptography, 劫持执行流: Path Interception by Unquoted Path, 劫持执行流: Path Interception by Search Order Hijacking, 劫持执行流: Path Interception by PATH Environment Variable, 劫持执行流: Dylib Hijacking, 劫持执行流: DLL Search Order Hijacking, 可信开发者工具代理执行: MSBuild, 启动或登录自动启动执行: Security Support Provider, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Shortcut Modification, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器, 域信任发现, 域或租户策略修改: Group Policy Modification, 屏幕捕获, 应用层协议: Web Protocols, 归档收集数据, 操作系统凭证转储: LSASS Memory, 文件和目录发现, 未加密凭证: Credentials In Files, 未加密凭证: Private Keys, 本机API, 权限提升漏洞利用, 浏览器信息发现, 混淆文件或信息: Command Obfuscation, 滥用权限提升控制机制: Bypass User Account Control, 电子邮件收集: Local Email Collection, 移除指标: Timestomp, 窃取或伪造Kerberos票据: Kerberoasting, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 系统信息发现, 系统所有者/用户发现, 系统服务: Service Execution, 系统网络连接发现, 系统网络配置发现, 组策略发现, 网络共享发现, 网络嗅探, 网络服务: Bidirectional Communication, 网络服务发现, 自动化收集, 自动化渗出, 视频捕获, 访问令牌操控: SID-History Injection, 访问令牌操控, 访问令牌操控: Create Process with Token, 账号发现: Domain Account, 账号发现: Local Account, 软件发现: Security Software Discovery, 输入工具传输, 输入捕获: Keylogging, 输入捕获: Credential API Hooking, 进程发现, 进程注入, 远程服务: Distributed Component Object Model, 远程服务: SSH, 远程服务漏洞利用, 通过C2信道渗出, 通过网络服务渗出: Exfiltration to Code Repository, 通过网络服务渗出: Exfiltration to Cloud Storage, 预定任务/作业: Scheduled Task
S0195	SDelete	^[4]	数据销毁, 移除指标: File Deletion
S0191	Winexe	^[2]	系统服务: Service Execution

Silence

Associated Group Descriptions

Enterprise Layer

Techniques Used

Software

References