Shush... Russian Banks Under Phishing Attack

Banks in Russia were the target of a massive phishing campaign  beginning last week that aimed to deliver a tool used by the Silence group of hackers. 

The group is believed to have a background in legitimate infosec activities and access to documentation specific to the financial sector.

Hackers rooted in the white-hat part of the business moonlight as bank robbers, pouring their knowledge and skills into creating and modifying malware that allows them to infiltrate financial institutions.

The group Silence is believed to have only two members and shows perseverance as well as the ability to learn from its own failures.

The fraudulent emails purported to come from the Central Bank of Russia (CBR) and contained a malicious attachment. The message body lured the recipients to open the attachment in order to check the latest details on the "standardisation of the format of CBR's electronic communications."

Email authentication mechanism saves the day

International cybersecurity company Group-IB investigated the attack and noticed that the style and format of the fake communication were very similar to the official CBR correspondence. This supports the theory that the attackers had access to legitimate emails from CBR.

If Silence hackers have any ties with the legal side of reverse engineering and penetration testing, it is very likely that they are familiar with the documentation used by financial institutions and with how banking systems work.

In a report published today, Group-IB says that the attackers spoofed the sender's email address but the messages did not pass the DKIM (DomainKeys Identified Mail) validation. DKIM is a solution specifically designed to prevent forged email addresses by adding to the message a signature that confirms its authenticity.

Banks see more spear-phishing from a different group

The Silence hackers are not the only ones trying their spear-phishing game on Russian banks. On October 23, another notorious group, MoneyTaker, ran a similar campaign against the same type of targets.

Their message spoofed an email address from the Financial Sector Computer Emergency Response Team (FinCERT) and contained five attachments disguised as documents from CBR.

"Three out of five files were empty decoy documents, but two contained a download for the Meterpreter Stager. To carry out the attack, hackers used self-signed SSL certificates," says Rustam Mirkasymov, Group-IB Head of Dynamic Analysis of malware department and threat intelligence expert.

These clues, along with server infrastructure associated with the MoneyTaker group, allowed the security experts to identify the perpetrator.

As in the case of Silence, this attacker is also thought to have had access to CBR documents, most likely from compromised inboxes of Russian banks employees. This allowed them to craft messages that would pass even eyes trained in spotting fraudulent emails.

Silence and MoneyTaker are dangerous threats to Banks

According to Group-IB, multiple groups use the Central Bank of Russia in spear-phishing operations, and for good reason, since the organisation dictates regulations to financial institutions in the country and maintains a constant communication flow with them.

Mirkasymov says that Silence and MoneyTaker are the most dangerous of all groups that threaten financial organisations. Referring to the latter, the expert says that its repertoire also includes drive-by attacks and testing the network for vulnerabilities. 

The goal is to access the internal nodes that enable them to withdraw money from ATMs, process cards or interbank transfers.

Although Silence uses mainly phishing, they are more careful about crafting the message, paying attention to both content and design, adds Group-IB's threat intelligence expert.

Bleeping Computer:

You Might Also Read:

Don't Underestimate The Impact Of Phishing

How Cyber Attackers Stole £2.26m From Tesco Bank Customers:

 

« Next-Gen Robotic Process Automation Leverages AI And Machine Learning
Russian Cyber Security Firm Kaspersky Moves Away From Moscow »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Cloud Credential Council (CCC)

Cloud Credential Council (CCC)

The CCC is a leading provider of vendor-neutral certification programs that empower IT and business professionals in their digital transformation journey.

CERT-PA

CERT-PA

CERT-PA is the national Computer Emergency Response Team for Italian government institutions.

Bittium

Bittium

Bittium provides proven information security solutions for mobile devices and portable computers.

DomainTools

DomainTools

DomainTools helps security analysts turn threat data into threat intelligence.

Oneconsult

Oneconsult

Oneconsult provides cyber security services focusing on penetration tests / ethical hacking, ISO 27001 security audits and incident response & IT forensics.

Trusted Objects

Trusted Objects

Trusted Object's mission is to provide state of the art security solutions and services enabling a strong root of trust for the IoT ecosystem.

Verodin

Verodin

Verodin is a business platform that provides organizations with the evidence needed to measure, manage and improve their cybersecurity effectiveness.

DCX Technology

DCX Technology

Recognized as a leader in security services, DXC Technology help clients prevent potential attack pathways, reduce cyber risk and improve threat detection and incident response.

Plug and Play Tech Center

Plug and Play Tech Center

Plug and Play is the ultimate innovation platform, bringing together the best startups and the world’s largest corporations.

Noventiq

Noventiq

Noventiq (the brandname of Softline Holding plc) is a leading global solutions and services provider in digital transformation and cybersecurity.

Nucleus Security

Nucleus Security

Nucleus is a leading Vulnerability Management platform for Large Enterprises, MSPs/MSSPs, and Application Security Teams that want more from their vulnerability management tools.

Tide Foundation

Tide Foundation

Tide's breakthrough multi-party-cryptography enables TRUE-zero-trust technology that unlocks cyber-herd immunity.

UncommonX

UncommonX

UncommonX offers enterprise-class cybersecurity protection for mid-size organizations by combining adaptive threat and intelligence software with 24/7 industry experts.

evolutionQ

evolutionQ

evolutionQ delivers quantum-risk management strategies and robust cybersecurity tools designed to be safe in an era with quantum computing technologies.

Red Goat Cyber Security

Red Goat Cyber Security

Red Goat Cyber Security have created excellent, informative and interactive Social Engineering Awareness training which is suitable for all levels of staff.

Abacus Group

Abacus Group

Abacus Group is a global IT services firm for alternative investment firms, providing an enterprise technology platform specifically designed to meet the unique needs of financial services.