Hackers rooted in the white-hat part of the business moonlight as bank robbers, pouring their knowledge and skills into creating and modifying malware that allows them to infiltrate financial institutions.

The group is believed to have only two members and shows perseverance as well as the ability to learn from its own failures.

The Developer and the Operator

According to a report shared with BleepingComputer by international cybersecurity company Group-IB, the newest financially-motivated group on the market has a Developer and an Operator, each playing well-defined roles. The name they received from the researchers is Silence.

The Developer is in charge of building attack tools and customizing utilities employed by other money-driven cybercriminals. This betrays a highly qualified reverse engineer and access to malware samples typically available in private caches of security companies.

The other member of the group is the Operator, who appears to be a seasoned penetration tester. His role is to compromise banks and initiate the thefts.

Goup-IB says that based on their analysis the two are Russian speakers, presenting as evidence a list of commands in Russian, typed on an English keyboard. The analysis also states that based on the groups access to certain resources and their tactics, it is believed that they both have a background in legitimate whitehat security activities.

"From circumstantial analysis over two years of attacks, it appears that Silence group members have worked or are currently working in legitimate information security activities," Group-IB's report stated. "The group has access to non-public malware samples, patched Trojans available only to security experts and also TTP changes suggest that they modify their activity to mimic new attacks and red teaming activity."

The first robberies failed

Researchers tracked hackers' activity since 2016 when Silence failed to steal money via the AWS CBR (the Russian Central Bank’s Automated Workstation Client) - a system for interbank transactions. The problem was ultimately with the payment order and not with the intrusion technique.

In August 2016, one month after the initial strike, Silence regained access to the systems of the same bank and tried their luck once more.

"To do this, they downloaded software to secretly, take screenshots and proceeded to investigate the operator’s work via video, stream," researchers conclude.

Smooth sailing ahead

To Group-IB's knowledge, the first successful robbery occurred in October 2017 when they attacked ATM systems and managed to steal more than $100,000 in one night.

The next victory came in February 2018, when they snatched more than $550,000 from the ATMs of a bank's partner. Two months later, Silence stole another $150,000.

The picture below shows the tools used by the Silence and a timeline of its attacks.

Attackers are knowledgeable

"During the first operations, the cybercriminals used a third-party patched backdoor Kikothac without access to its source code. They chose a Trojan, which had been known since November 2015, and did not require a lot of time for reverse-engineering," the report explains.

The groups tool belt includes the Silence framework for attacking the target's infrastructure, the Atmosphere malware for jackpotting ATMs, Farse - a utility based on Mimikatz password extraction tool, and Cleaner, which is tasked with deleting the logs of the remote connection.

Dumping malware onto the victim's systems is done with the help of phishing domains and self-signed certificates.

"To evade content filtering systems they used DKIM and SPF. To create ‘legitimate’ emails purporting to be from the banks, the hackers used the banks’ domains that did not have configured SPF records," Group-IB says.

Skilled enough to modify an APT28 exploit

The decoy for the victim is typically a Microsoft Word document weaponized with exploits for CVE-2017-0199, CVE-2017-11882+CVE-2018-0802, CVE-2017-0262, and CVE-2018-8174 - all of them are vulnerabilities previously used in cybercriminal attacks.

The researchers discovered a clear clue about the skill level of the Developer when they noticed that Silence used an exploit from APT28, a nation-state cyber-espionage actor in Russia.

The exploit had been modified at the assembler instructions level. Without the source code or the builder of the malicious file, the Developer managed to adapt the exploit to their needs, something that proves advanced expertise in reverse engineering.

Financial institutions are more often becoming the target of sophisticated cybercriminals wanting to infiltrate their networks and take complete control over the infrastructure of interest.

In this respect, Silence is no different; but the group stands out because of its mastery in building custom tools. The utilities are used for moving laterally in the network, monitoring bank employees to learn the ropes, and ultimately for compromising the segment they are interested in.

Silence operates only in Russia at the moment, but the group sent phishing emails to banks in more than 25 countries. This suggests that the group feels ready to expand globally.