Financial institutions at Reuters Plaza

Silence – The Trojan That Has Hit Ten Major Banks And Counting

This new Trojan strain records all the activity on the victim’s computer.

We are starting November on the wrong foot after the discovery of Silence, a new Trojan that has already attacked ten banks, most of them in Russia and some in Malaysia and Armenia. There is not much information about the organization behind the crime, but experts say they are Russian-speaking.

How it works

The Silence Trojan requires an already-compromised bank infrastructure in order to be deployed. Through that compromised computer the hacker sends an email to another bank staff member. The email shows a colleague’s email address as the sender and looks like any other email (see below): it contains a request to open an account for a new customer, whose contract is attached – just like any other internal request. This attachment has a .chm extension; a Microsoft Help file that can run technologies such as JavaScript. The embedded HTML file contains indeed malicious JavaScript code, which loads and activates a dropper that then loads the modules of the Silence Trojan.

Spear-phishing email in Russian - Silence Trojan

Spear-phishing email in Russian

At this point, the hackers have already gained access to the computer, which is the first part of the attack. The uniqueness of Silence is that it runs malicious payloads – modules infected on the system for various tasks – to allow screen recording and data uploading, among others. Kaspersky Lab researchers, who discovered this Trojan, said the main task for this module is to monitor the activity of the victim. In order to do so, it takes multiple screenshots of the victim’s active screen, providing a real-time pseudo-video stream with all the victim’s activity.

The hackers then wait a long period of time, monitoring the infected computers and collecting all the personal data until they are ready to execute the second part of the attack: take the money from the customer’s account. Simply and smoothly.

The current landscape

A very similar technique was used by the Carbanak group, where monitoring was the method to understand the victim’s day-to-day activity. This similarity, as well as others, could indicate that Silence is related to Carbanak, if not the same group, which would mean they are growing in sophistication, creativity, and power. As of today, the Silence Trojan attacks are still ongoing.

Sergey Lozhkin, a security expert at Kaspersky Lab, says the Silence Trojan “is a fresh example of cybercriminals shifting from attacks on users to direct attacks on banks. We have seen this trend growing recently, as more and more slick and professional APT-style cyber-robberies emerge and succeed.”

The sophistication of hackers is pressuring banks to refine their anti-fraud strategies. As a prevention measure, some institutions consider staff members should be trained better – as they are the weakest link of this scheme – and some companies plan on scheduling workshops to increase spear-phishing awareness. Unfortunately, regardless of how diligent workers are, hackers will always come up with creative ways to spoof emails, prolonging this game of cat and mouse.

How to protect your customers

Banks need to think outside the box and start authenticating their clients differently. The key to reverse these kind of cyber attacks starts by taking the burden off of employees.

Our colleague Ryan Wilk, Vice President of Customer Success, said “financial institutions could render employee and customer account credentials stolen through these types of schemes useless to attackers if only they use techniques such as passive biometrics and behavioral analytics. These new technologies are based on observed behavior over the lifecycle of an employee’s or customer’s interactions, and not simply on a password or a security question.”

With behavioral and passive biometrics, even if attackers are able to steal credentials and account numbers, they will not be able to use them to finalize a transaction because they will be unable to replicate the behavior associated with the account holder to access the account. This is why validating the user behind the device through a multi-layer authentication strategy aside from credentials is key to devaluing data stolen through Silence and other Trojans.

The financial industry should take advantage of these new and successful technologies to protect their customers and also protect themselves from money losses and brand damage. Rendering personally identifiable information useless will restore the trust between customers and financial institutions.

Related to this post: What’s a KRACK attack and how to prevent it


Want to learn more about biometric authentication? Download our co-sponsored Aite Group report, Biometrics: The Time Has Come.

Want to read more posts like this? See our full blog here.