Shush... Russian Banks Under Phishing Attack

Banks in Russia were the target of a massive phishing campaign  beginning last week that aimed to deliver a tool used by the Silence group of hackers. 

The group is believed to have a background in legitimate infosec activities and access to documentation specific to the financial sector.

Hackers rooted in the white-hat part of the business moonlight as bank robbers, pouring their knowledge and skills into creating and modifying malware that allows them to infiltrate financial institutions.

The group Silence is believed to have only two members and shows perseverance as well as the ability to learn from its own failures.

The fraudulent emails purported to come from the Central Bank of Russia (CBR) and contained a malicious attachment. The message body lured the recipients to open the attachment in order to check the latest details on the "standardisation of the format of CBR's electronic communications."

Email authentication mechanism saves the day

International cybersecurity company Group-IB investigated the attack and noticed that the style and format of the fake communication were very similar to the official CBR correspondence. This supports the theory that the attackers had access to legitimate emails from CBR.

If Silence hackers have any ties with the legal side of reverse engineering and penetration testing, it is very likely that they are familiar with the documentation used by financial institutions and with how banking systems work.

In a report published today, Group-IB says that the attackers spoofed the sender's email address but the messages did not pass the DKIM (DomainKeys Identified Mail) validation. DKIM is a solution specifically designed to prevent forged email addresses by adding to the message a signature that confirms its authenticity.

Banks see more spear-phishing from a different group

The Silence hackers are not the only ones trying their spear-phishing game on Russian banks. On October 23, another notorious group, MoneyTaker, ran a similar campaign against the same type of targets.

Their message spoofed an email address from the Financial Sector Computer Emergency Response Team (FinCERT) and contained five attachments disguised as documents from CBR.

"Three out of five files were empty decoy documents, but two contained a download for the Meterpreter Stager. To carry out the attack, hackers used self-signed SSL certificates," says Rustam Mirkasymov, Group-IB Head of Dynamic Analysis of malware department and threat intelligence expert.

These clues, along with server infrastructure associated with the MoneyTaker group, allowed the security experts to identify the perpetrator.

As in the case of Silence, this attacker is also thought to have had access to CBR documents, most likely from compromised inboxes of Russian banks employees. This allowed them to craft messages that would pass even eyes trained in spotting fraudulent emails.

Silence and MoneyTaker are dangerous threats to Banks

According to Group-IB, multiple groups use the Central Bank of Russia in spear-phishing operations, and for good reason, since the organisation dictates regulations to financial institutions in the country and maintains a constant communication flow with them.

Mirkasymov says that Silence and MoneyTaker are the most dangerous of all groups that threaten financial organisations. Referring to the latter, the expert says that its repertoire also includes drive-by attacks and testing the network for vulnerabilities. 

The goal is to access the internal nodes that enable them to withdraw money from ATMs, process cards or interbank transfers.

Although Silence uses mainly phishing, they are more careful about crafting the message, paying attention to both content and design, adds Group-IB's threat intelligence expert.

Bleeping Computer:

You Might Also Read:

Don't Underestimate The Impact Of Phishing

How Cyber Attackers Stole £2.26m From Tesco Bank Customers:

 

« Next-Gen Robotic Process Automation Leverages AI And Machine Learning
Russian Cyber Security Firm Kaspersky Moves Away From Moscow »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Nubo Software

Nubo Software

Nubo’s Virtual Mobile Infrastructure creates a virtual corporate device on your employee smartphones and tablets. Enable unlimited mobility without leaving any data at risk.

Idaptive

Idaptive

Idaptive delivers Next-Gen Access through a zero trust approach. Idaptive secures access everywhere with single sign-on, adaptive MFA, EMM and analytics.

Penningtons Manches Cooper

Penningtons Manches Cooper

Penningtons Manches Cooper is a leading UK law firm providing high quality legal advice in areas including Data Protection, Cyber Security and Cyber Crime.

International Accreditation Forum (IAF)

International Accreditation Forum (IAF)

The IAF is the world association of Conformity Assessment Accreditation Bodies. Its primary function is to develop a single worldwide programme of conformity assessment.

Pinpoint Search Group

Pinpoint Search Group

Pinpoint Search Group's recruiters specialize in Information Management, Cyber Security, Cloud and Robotic Process Automation (RPA).

Cira Info Tech

Cira Info Tech

Cira InfoTech’s cyber security and network consulting and managed services deliver unmatched talented resources and capabilities required to design and build an agile and adaptive IT environment.

Gem Security

Gem Security

Gem is on a mission to help security operations evolve into the cloud era, and stop cloud threats before they become incidents.

Onwardly

Onwardly

For everyday folks tasked with implementing security and privacy. Do it faster with Onwardly - build, launch and scale your cyber resilience program in 30 minutes per week.

Excite Cyber

Excite Cyber

Excite Technology Services (formerly Cipherpoint) is focused on improving the security posture of our customers.

B&L PC Solutions

B&L PC Solutions

B&L PC Solutions deliver top cyber security services on Long Island and New York city to protect businesses from evolving online threats.

HTX (Home Team Science & Technology Agency)

HTX (Home Team Science & Technology Agency)

HTX brings together science and engineering capabilities to transform the homeland security landscape and keep Singapore safe.

Vantor

Vantor

Vantor is a Managed Security Services Provider (MSSP) that specializes in providing outsourced, managed cybersecurity services.

Bureau

Bureau

Bureau is a no-code, identity decisioning platform that offers businesses the complete range of risk, compliance and ongoing fraud monitoring solutions innovated with AI.

Harmony Intelligence

Harmony Intelligence

Harmony builds cutting-edge defensive AI products that safeguard people and critical infrastructure around the world from AI-powered threats.

Virtual Cyber Labs

Virtual Cyber Labs

Virtual Cyber Labs is a 21st generation Cybersecurity Edu-Tech company that offers an all-in-one hub including custom syllabus and labs.

United Nations Office of Counter-Terrorism (UNOCT)

United Nations Office of Counter-Terrorism (UNOCT)

UNOCT provides UN Member States with the necessary policy support of the UN Global Counter-Terrorism Strategy, and wherever necessary, expedites delivery of technical assistance.