Skip to content

G0091 Silence

Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank’s Automated Workstation Client, ATMs, and card processing.32

Item Value
ID G0091
Associated Names Whisper Spider
Version 2.2
Created 24 May 2019
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Whisper Spider 1

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Silence has used HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKLM\Software\Microsoft\Windows\CurrentVersion\Run, and the Startup folder to establish persistence.4
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Silence has used PowerShell to download and execute payloads.34
enterprise T1059.003 Windows Command Shell Silence has used Windows command-line to run commands.324
enterprise T1059.005 Visual Basic Silence has used VBS scripts.3
enterprise T1059.007 JavaScript Silence has used JS scripts.3
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Silence has deleted artifacts, including scheduled tasks, communicates files from the C2 and other logs.34
enterprise T1105 Ingress Tool Transfer Silence has downloaded additional modules and malware to victim’s machines.4
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Silence has named its backdoor “WINWORD.exe”.4
enterprise T1112 Modify Registry Silence can create, delete, or modify a specified Registry key or value.4
enterprise T1106 Native API Silence has leveraged the Windows API, including using CreateProcess() or ShellExecute(), to perform a variety of tasks.24
enterprise T1571 Non-Standard Port Silence has used port 444 when sending data about the system from the client to the server.4
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.010 Command Obfuscation Silence has used environment variable string substitution for obfuscation.3
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Silence has obtained and modified versions of publicly-available tools like Empire and PsExec.5 2
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Silence has used the Farse6.1 utility (based on Mimikatz) to extract credentials from lsass.exe.4
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Silence has sent emails with malicious DOCX, CHM, LNK and ZIP attachments. 324
enterprise T1055 Process Injection Silence has injected a DLL library containing a Trojan into the fwmain32.exe process.4
enterprise T1090 Proxy -
enterprise T1090.002 External Proxy Silence has used ProxyBot, which allows the attacker to redirect traffic from the current node to the backconnect server via Sock4\Socks5.4
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Silence has used RDP for lateral movement.4
enterprise T1018 Remote System Discovery Silence has used Nmap to scan the corporate network, build a network topology, and identify vulnerable hosts.4
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Silence has used scheduled tasks to stage its operation.3
enterprise T1113 Screen Capture Silence can capture victim screen activity.24
enterprise T1072 Software Deployment Tools Silence has used RAdmin, a remote software tool used to remotely control workstations and ATMs.4
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Silence has used a valid certificate to sign their primary loader Silence.Downloader (aka TrueBot).5
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.001 Compiled HTML File Silence has weaponized CHM files in their phishing campaigns.3254
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Silence has used Winexe to install a service on the remote system.24
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Silence attempts to get users to launch malicious attachments delivered via spearphishing emails.324
enterprise T1078 Valid Accounts Silence has used compromised credentials to log on to other systems and escalate privileges.4
enterprise T1125 Video Capture Silence has been observed making videos of victims to observe bank employees day to day activities.24

Software

ID Name References Techniques
S0363 Empire 5 Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation SID-History Injection:Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Automated Collection Automated Exfiltration Shortcut Modification:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution Browser Information Discovery Clipboard Data PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Command and Scripting Interpreter Domain Account:Create Account Local Account:Create Account Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Code Repository:Exfiltration Over Web Service Exfiltration to Cloud Storage:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Search Order Hijacking:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Credential API Hooking:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Kerberoasting:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Credentials In Files:Unsecured Credentials Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation
S0195 SDelete 4 Data Destruction File Deletion:Indicator Removal
S0191 Winexe 2 Service Execution:System Services

References

  1. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. 

  2. GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019. 

  3. Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019. 

  4. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020. 

  5. Group-IB. (2019, August). Silence 2.0: Going Global. Retrieved May 5, 2020.