ATK86

Presumed Origin: Eastern Europe < Back

Alias: Silence, Silence APT group, Silence group, WHISPER SPIDER

ATK86 (aka: Silence Group) is a Cybercrime group that has been active since the end of 2016, and has attacked mostly banks all over the world. The group is believed to be from a Russia, because most of their attacks (at least at the beginning), were directed against banks from Russia and former Soviet Union counties. Furthermore, they used very high level of Russian in their phishing emails, and it was found that some of the commands of their tools were in Russian. However, along the years, the group has shifted to attack banks all over the world such as in East Asia, Europe and more.

The group is known for their sophisticated and profound attacks, in which usually they take a long period of time to study the potential victim, to maximize the attack against them. In most cases, Spear-phishing emails were sent to bank employees, while having a malicious file attached to them. This usually downloaded the Silence Trojan that has many capabilities of stealing data, downloading additional tolls, track victims and more. A few versions of the toll were found, and it has shown that the group is continuing to enhance them. Furthermore, the group uses malwares to attack ATMs specifically, such as Atmosphere. At the begenning, the tools used to target ATM were developped by other cyber criminals but the group is currently useing homemade tools. Through this, the group was able to steal millions of dollars in cash along the years, mostly from banks in Russia, and Eastern Europe.

Some IP addresses used during theses attacks seems to be located in France, mostly from the OVH hoster.

In 2020 the group started to target Banks in Sub-Saharian Africa and threatens Australian banks of DDoS attacks if they will not pay large sums in Monero cryptocurrency.

According to Group-IB the Silence group started to by to TA505 access to banks which correlate with the diminution of spear-phishing attempt from Silence. TA505 seems to have sold at least the access to one European bank to Silence in end 2019.

REFERENCES

- 25/04/2017, PaloAlto, Mole Ransomware: How One Malicious Spam Campaign Quickly Increased Complexity and Changed Tactics
- 01/11/2017, Intezer, Silence of the Moles
- 01/11/2017, Kaspersky, Silence – a new Trojan attacking financial organizations
- 05/09/2018, Group-IB, Silence: Moving into the darkside, http://www.group-ib.com/resources/threat-research/silence.html
  05/09/2018, ZDnet, New Silence hacking group suspected of having ties to cyber-security industry, https://www.zdnet.com/article/new-silence-hacking-group-suspected-of-having-ties-to-cyber-security-industry/
- 24/01/2019, Reaqta, Silence group targeting Russian Banks via Malicious CHM
  03/07/2019, Bleeping Computer, Silence Group Likely Behind Recent $3M Bangladesh Bank Heist, https://www.bleepingcomputer.com/news/security/silence-group-likely-behind-recent-3m-bangladesh-bank-heist/
- 20/08/2018, Group-IB, Silence 2.0 Going Global, https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
- 17/01/2020, Kaspersky, Silence before the storm: Russian speaking hacking group is attacking banks in Sub-Saharan Africa, https://kaspersky.africa-newsroom.com/press/silence-before-the-storm-russian-speaking-hacking-group-is-attacking-banks-in-subsaharan-africa?lang=en&utm_source=Sarbacane&utm_medium=email&utm_campaign=FL|INT%202020%20-%20015-%20Report%20of%20Silence%20activity%20in%20Sub-Saharan%20Africa
- 26/02/2020, Security Affairs, Silence Hacking Crew threatens Australian banks of DDoS attacks, https://securityaffairs.co/wordpress/98490/cyber-crime/australian-banks-ddos-extortionists.html
- 07/05/2020, CERT-FR, Le groupe cybercriminel SILENCE, https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-004/

Target sector

Financial Services
Government and administration agencies

Target countries

Armenia
Austria
Azerbaijan
Bangladesh
Belarus
Cyprus
Czechia
Georgia
Germany
Greece
Hong Kong
Israel
Kazakhstan
Kenya
Kyrgyzstan
Latvia
Malaysia
Poland
Romania
Russian Federation
Saudi Arabia
Serbia
Taiwan
Turkey
Ukraine
United Kingdom Of Great Britain And Northern Ireland
Uzbekistan
Viet Nam

Attack pattern

T1022 - Data Encrypted
T1027 - Obfuscated Files or Information
T1035 - Service Execution
T1043 - Commonly Used Port
T1053 - Scheduled Task
T1059 - Command-Line Interface
T1060 - Registry Run Keys / Startup Folder
T1064 - Scripting
T1071 - Standard Application Layer Protocol
T1079 - Multilayer Encryption
T1082 - System Information Discovery
T1086 - PowerShell
T1105 - Remote File Copy
T1106 - Execution through API
T1107 - File Deletion
T1113 - Screen Capture
T1125 - Video Capture
T1132 - Data Encoding
T1134 - Access Token Manipulation
T1140 - Deobfuscate/Decode Files or Information
T1170 - Mshta
T1193 - Spearphishing Attachment
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1219 - Remote Access Tools
T1223 - Compiled HTML File
T1489 - Service Stop

Motivation

Financial Gain

Malwares

Atmosphere
EDA
Farse
Ivoke
Kikothac
Perl IrcBot
Silence.proxybot(.net)
Silence Downloader (TrueBot)
Smoke Bot
SurveillanceModule (Slowroll)
xfs-disp.exe

Vulnerabilities

CVE-2017-0199
CVE-2017-0262
CVE-2017-11882
CVE-2018-0802
CVE-2018-8174