Researchers have uncovered a new banking trojan with advanced surveillance capabilities targeting financial institutions. Get the facts on how it works and how to block it.
Banks and other financial institutions are top targets for cyber attacks, for obvious reasons. From the JPMorgan hack to last year's Swift attacks, infiltrating these organizations can result in massive profits for attackers in the form of cash and stolen information.
It's not too surprising, then, to see malware specifically designed to steal financial information on the rise lately (see Emotet, Ursnif, and Terdot). But one of the latest examples — a new trojan researchers at Kaspersky are calling "Silence" — is especially notable.
Responsible for compromising banks in Russia, Malaysia, and Armenia, analysis of Silence indicates it utilizes sophisticated survellience capabilities reminiscent of those used by the infamous Carbanak group, which experts believe stole upwards of $1 billion over the course of two years.
Let's take a closer look at the Silence trojan, how it operates, and how Barkly blocks it.
How banks are getting infected with the Silence trojan
According to researchers, attacks begin with hackers gaining access to a bank employee's email account, which can be accomplished in any number of ways (phishing attack, using credentials found in data breach leaks, etc.). Spear phishing emails are then sent out from the employee's account disguised as routine requests other bank employees would expect to receive.
A spear phishing email designed to spread Silence in a Russian organization.Source: Kaspersky
The dropper is a Win32 executable file. Its job, once it lands on the victim machine, is to establish communication with the attacker's comand and control (C&C) server and download the payloads responsible for the sneaky surveillence portion of the attack detailed below.
Silence records victim activity with a "real-time pseduo-video stream"
The primary goal of the Silence payloads is to monitor and capture the infected victim's activity by taking repeated screenshots of their screen at quick intervals. This allows attackers to later piece together a stop-motion-esque stream of the bank employee's day-to-day activities, providing them with insight into the software and systems the bank utilizes, its organizational structure and procedures, not to mention capturing usernames, passwords, and other sensitive information.
One obvious benefit of this approach is that, compared to video recordings, screenshots take significantly fewer resources to produce and transmit. That helps the appropriately named Silence operate more quietly in the background without the victim noticing.
In addition to the victim monitoring and activity-capturing payloads, Silence also installs a backdoor that provides attackers with the ability to install additional payloads and access the victim machine at any time.
As Kasperksy researchers point out, what makes these payloads especially dangerous is they are designed to blend in with typical system administration activity. They are registered as Windows services and take advantage of otherwise legitimate system tools like the Windows Graphics Device Interface (GDI), the Windows API, and the Winexecsvc tool (which enables remote commands similarly to psexec, but from Linux-based systems).
Barkly provides protection against the Silence banking trojan by blocking each of the payloads it attempts to install and run, including the backdoor compoment. It also blocks the dropper, meaning the payloads never actually touch the computer in the first place. No information is stolen and no damage is done.