Security researchers have discovered a new attack against financial organizations, in which hackers break into their infrastructure and stay lurking for months to learn their internal procedures before starting to steal money.

Because of the extended period of time when attackers monitor and learn the behavior of their victims, researchers have dubbed the Trojan program used in this attack “Silence.” Since September, the malware has been identified inside the networks of banks from Russia, Malaysia and Armenia, but the attackers are likely to expand their operation, according to researchers from antivirus vendor Kapsersky Lab.

The cybercriminals behind Silence are not the first to incorporate stealthy techniques normally associated with cyberespionage and APT threats. In 2014, a cybercriminal group called Carbanak used similar methods to infect more than 100 financial institutions worldwide and steal $1 billion.

The Silence gang first compromises some machines at the targeted organizations, using methods that have yet to be determined, with the goal of gaining access to employee email accounts. The group then uses compromised accounts to send malicious spear-phishing emails to other employees, launching a multistage attack.

Those rogue emails seen by the Kaspersky researchers carry Microsoft Compiled HTML Help (CHM) files embedded with malicious code. When opened, the files execute rogue JavaScript code, which then downloads a malicious VBS script from an URL and runs it. The VBS script installs a malware dropper that connects to a command-and-control server and downloads multiple payloads that act as modules, each with different functionality.

One module continuously takes screenshots of the victim’s desktop and builds a real-time video stream for the attackers that allows them to monitor the employee’s activity. Another module allows attackers to execute Windows shell commands on the machine.

“Attacks on financial organizations remain a very effective way for cybercriminals to make money,” the Kaspersky researchers said in their report. “The analysis of this case provides us with a new Trojan, apparently being used in multiple international locations, which suggests it is an expanding activity of the group. The Trojan provides monitoring capabilities similar to the ones used by the Carbanak group.”

But while Carbanak was one of the first cybercriminal groups to target financial organizations using stealthy lateral movement techniques, it hasn’t been the only one. In 2016, Kaspersky researchers reported similar operations launched by two other gangs that used malware programs known as Metel and GCMAN.

More recently, a group known as FIN7 hit financial and other organizations with a sophisticated fileless malware framework. The group also uses legitimate system administration tools for lateral movement, making its detection inside corporate networks difficult.

“This kind of attack has become widespread in recent years, which is a very worrisome trend as it demonstrates that criminals are successful in their attacks,” the Kaspersky researchers said. “The spear-phishing infection vector is still the most popular way to initiate targeted campaigns. When used with already compromised infrastructure, and combined with .chm attachments, it seems to be a really effective way of spreading, at least among financial organizations.”

The use of hacked email accounts to target employees from the same organization also has proven to be a very effective technique, and has come to be known as business email compromise (BEC). It’s typically used to steal money from companies by tricking employees who have access to bank accounts to initiate rogue transfers under the guise of payments for partners or suppliers. The targeted employees usually fall for the scam because the requests come from the legitimate, but compromised, email accounts of company executive or senior-level employees.

According to an alert from the FBI’s Internet Crime Complaint Center, between October 2013 and December 2016 attackers used the BEC technique to steal more than $5.3 billion in 40,203 domestic and international attacks.

— Lucian Constantin