A new targeted attack on financial institutions have been uncovered by researchers at Kaspersky Lab.
The discovery was made in September but the attacks by the ‘Silence’ trojan are still ongoing, mostly against banks in Russia, but also financial institutions in Malaysia and Armenia.
According to Kaspersky Lab, the attackers are using tools and techniques similar to the notorious Carbanak group uncovered by the security specialists in 2015.
The criminals begin their attack by using classic spear-phishing attempts with a malicious attachment. Unfortunately, there is a high chance this will get through, as the Silence attack is done after the cybercriminals have already compromised banking infrastructure in order to send their spear-phishing emails from the addresses of real bank employees.
This makes the spear-phishing emails look as unsuspicious as possible to future victims, and the attackers request a bank account be opened.
But the malicious attachment is a “Microsoft Compiled HTML Help” file and once the attachment is opened by the victim, the embedded .htm content file (“start.htm”) is executed.
“The goal of the script is to download and execute an obfuscated .VBS script which again downloads and executes the final dropper,” said Kaspersky Lab.
Once this is done, the attackers are then able to gain persistent access to an internal banking network for a long period of time. This allows them to make video recordings of the day to day activity on bank employees’ PCs, and they can learn how things work in their target banks. This can include for example what software is being used.
The attackers, says Kaspersky Lab, then use this information to steal as much money as possible when ready.
“Attacks on financial organization remain a very effective way for cybercriminals to make money,” said Kaspersky Lab. “The analysis of this case provides us with a new Trojan, apparently being used in multiple international locations, which suggests it is an expanding activity of the group. The Trojan provides monitoring capabilities similar to the ones used by the Carbanak group.”
“The group uses legitimate administration tools to fly under the radar in their post-exploitation phase, which makes detection of malicious activity, as well as attribution more complicated,” it added. “This kind of attack has become widespread in recent years, which is a very worrisome trend as it demonstrates that criminals are successful in their attacks.
Kaspersky Lab recommended that financial organisations utilise advanced detection capabilities such as a solution that can detect all types of anomalies and scrutinise suspicious files at a deeper level.
Kaspersky Lab has previously warned that criminal gangs are now mimicing the stealth methods used by state sponsored attacks to carry out swift break-and-enter jobs that give banks no time to identify the tell-tale signs of a long term persistent attack.
In early 2016 a report estimated that more than two dozen large Russian banks had been targeted by hacking gangs in 2015, with the loss of millions of pounds.
But it was also reported in 2016 that a cyber-crime ring had stolen almost $1bn (£648m) from banks and financial institutions in 30 countries over the past two years, in one of the world’s biggest bank heists to date.
Do you know all about security in 2017? Try our quiz!