<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1018517621595528&amp;ev=PageView&amp;noscript=1">
Barkly vs Malware
Jonathan Crowe
Nov 2017

Barkly vs. the Silence Banking Trojan

Photo by Dave Meier

Researchers have uncovered a new banking trojan with advanced surveillance capabilities targeting financial institutions. Get the facts on how it works and how to block it.

Banks and other financial institutions are top targets for cyber attacks, for obvious reasons. From the JPMorgan hack to last year's Swift attacks, infiltrating these organizations can result in massive profits for attackers in the form of cash and stolen information.

It's not too surprising, then, to see malware specifically designed to steal financial information on the rise lately (see EmotetUrsnif, and Terdot). But one of the latest examples — a new trojan researchers at Kaspersky are calling "Silence" — is especially notable.    

Responsible for compromising banks in Russia, Malaysia, and Armenia, analysis of Silence indicates it utilizes sophisticated survellience capabilities reminiscent of those used by the infamous Carbanak group, which experts believe stole upwards of $1 billion over the course of two years.   

Let's take a closer look at the Silence trojan, how it operates, and how Barkly blocks it.

How banks are getting infected with the Silence trojan 

Silence-Banking-Trojan-Attack-Diagram.gif

According to researchers, attacks begin with hackers gaining access to a bank employee's email account, which can be accomplished in any number of ways (phishing attack, using credentials found in data breach leaks, etc.). Spear phishing emails are then sent out from the employee's account disguised as routine requests other bank employees would expect to receive. 

silence-bank-attack-email.png

A spear phishing email designed to spread Silence in a Russian organization. Source: Kaspersky


Included in these emails is an attachment — a Microsoft Compiled HTML Help (.chm) file. A .chm file is a compressed collection of HTML pages, and it is highly interactive. One of the key reasons it is being used in this case is that it can run JavaScript. 

Once a bank employee opens the .chm attachment it executes an embedded .htm content file. That file contains JavaScript that downloads and executes an obfuscated .VBS script, which in turn downloads and executes the final dropper file. 

The dropper is a Win32 executable file. Its job, once it lands on the victim machine, is to establish communication with the attacker's comand and control (C&C) server and download the payloads responsible for the sneaky surveillence portion of the attack detailed below.

Silence records victim activity with a "real-time pseduo-video stream" 

The primary goal of the Silence payloads is to monitor and capture the infected victim's activity by taking repeated screenshots of their screen at quick intervals. This allows attackers to later piece together a stop-motion-esque stream of the bank employee's day-to-day activities, providing them with insight into the software and systems the bank utilizes, its organizational structure and procedures, not to mention capturing usernames, passwords, and other sensitive information.

One obvious benefit of this approach is that, compared to video recordings, screenshots take significantly fewer resources to produce and transmit. That helps the appropriately named Silence operate more quietly in the background without the victim noticing. 

In addition to the victim monitoring and activity-capturing payloads, Silence also installs a backdoor that provides attackers with the ability to install additional payloads and access the victim machine at any time. 

As Kasperksy researchers point out, what makes these payloads especially dangerous is they are designed to blend in with typical system administration activity. They are registered as Windows services and take advantage of otherwise legitimate system tools like the Windows Graphics Device Interface (GDI), the Windows API, and the Winexecsvc tool (which enables remote commands similarly to psexec, but from Linux-based systems). 

Watch Barkly in action vs. Silence 

 
 
 
 
 
1:20
 
 
 
1:20
 
 
 
 
 
 
 
 
 
 
Wistia video thumbnail - Barkly-vs-Silence
 

Thanks for reporting a problem. We'll attach technical data about this session to help us figure out the issue. Which of these best describes the problem?

Any other details or context?

Cancel
message
 
 
 
 
 
 
 

 

Barkly provides protection against the Silence banking trojan by blocking each of the payloads it attempts to install and run, including the backdoor compoment. It also blocks the dropper, meaning the payloads never actually touch the computer in the first place. No information is stolen and no damage is done. 

Fnd out more about Barkly and how it can keep your organization more secure.

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical point of view.

blocks-attack-grey-circle.svg

Close the gaps in your security

See how Barkly blocks attacks other solutions miss.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.