An attack on a bank in Bangladesh that suffered losses of at least $3 million may be the work of the Silence hacker outfit, a relatively new, financially-motivated group.

Silence came into the limelight back in September, when Group-IB, a company headquartered in Singapore that specializes in preventing cyber-attacks, published a report detailing resources and tactics of the group.

They've been operating since at least 2016 when they attempted to steal money through the Russian Central Bank's Automated Workstation Client.

The security company believes that the group has a core of two Russian-speaking individuals that are familiar with legitimate, whitehat security activities.

Bank unaware of the theft

Three private banks (Dutch Bangla Bank Limited, NCC Bank, and Prime Bank) in Bangladesh were hit in May by hackers who made off with at least $3 million from illegal transactions at ATM machines in and outside the country.

According to local media, only Dutch Bangla Bank Limited (DBBL) recorded financial losses and the other two banks stated that they were able to thwart the attacks.

It appears that the bank learned about the theft when Visa payment solution provider asked to settle payments for transactions clients had made in Cyprus.

Money mules caught

A video recorded on May 31 shows a Ukranian money mule stealing the money from an ATM by just inserting the payment card and waiting for the cash to come out.

The individual talked on the phone before each withdrawal, indicating that the machine was controlled by a remote operator who sent the cash spewing commands.

The Ukranian was arrested along with five other individuals of the same nationality in connection to the theft. They ran the same routine on nine other ATMs and stole about $19,000.

Evidence points to Silence

Based on threat intelligence and their knowledge of the group's infrastructure and tactics, Group-IB believes that the attack on DBBL was coordinated by the Silence hackers.

Rustam Mirkasymov, Head of Dynamic Analysis of Malicious Code at Group-IB, told BleepingComputer that dispensing the money as seen in the video was possible in two ways:

1. By getting access to the bank's ATM network and installing a toolkit called Atmosphere for jackpotting; cybercriminals could then coordinate with the money mules to send the commands for dispensing the money. 2. Silence hackers could have compromised the card processing system to modify ATM transaction limits.

Both of these methods are part of the methods previously seen in hacking activity attributed to Silence.

Mirkasymov told us that supporting the theory that this is a job from Silence threat actor is Group-IB's discovery that DBBL hosts were communicating with a Silence command and control (C2) server located at 103[.]11.138.198.

The hackers probably used the trojans Silence.Downloader (aka TrueBot), Silence.MainModule in their arsenal to execute remote commands and download files from compromised servers; and Silence.ProxyBot to run tasks of the proxy server and to redirect traffic from the hidden node to the backconnect server via compromised PC.

Connections to the hacker's C2 machine occurred since at least February 2019. This long a period of compromise is typical for bank heists of this level, as the intruders need to find the systems of interest and learn the ropes before making the money-grabbing move.

Silence was seen operating only in Russia until now but previous investigations into the group's activity suggested that they were ready to tackle other regions.

"Having tested their tools and techniques in Russia, Silence has gained the confidence and skill necessary to be an international threat to international banks and corporations," says Mirkasymov.

Silence IOCs:

Silence.Downloader (aka TrueBot)

MD5 Hashes:

Silence.MainModule - fd133e977471a76de8a22ccb0d9815b2