The Russian-speaking group Silence attacks banks and consists of only two people.

[Teacher]

Hello, cyberstalkers! Hello, random carders. And there are heroes in hell. They can, guys, they can, whenever they want. Group-IB experts have published a report on the discovery of a little-studied hacker group that attacks banks like Cobalt or MoneyTaker.

Go:
Dimension.
The first traces of the hacker group, called Silence,[/B] were discovered by Group-IB experts back in June 2016. The report says that back then, cybercriminals were just beginning to try their hand.
One of the first targets of Silence was a bank in Russia, which they tried to attack through the KBR Automated Workplace (Automated workplace of a Bank of Russia client). After that, the hackers "fell silent"for a long time. Later it turned out that this is standard practice for Silence. They attack selectively, and about three months pass between incidents, which is three times longer than other groups that specialize in targeted attacks, such as MoneyTaker, Anunak (Carbanak), Buhtrap, or Cobalt.
Researchers believe that the reason lies in the extremely small number of members of Silence. For the first time in the entire practice of cyber intelligence and cybercrime investigations, Group-IB specialists encountered such a structure and role distribution in the group. Silence constantly analyzes the experience of other criminal groups, tries to apply new techniques and methods of theft from various banking systems, including automated control systems of the KBR, ATMs, and card processing. In less than a year, the volume of theft by Silence has increased fivefold.

The working version of the experts suggests that the Silence team clearly shows only two roles-the operator and the developer. Probably, the operator is the leader of the group. By the nature of its actions, it is a pentester who is well acquainted with the tools for conducting penetration tests in the banking infrastructure. This knowledge allows the group to easily navigate within the bank under attack. It is the operator who gets access to secure systems inside the bank and starts the theft process.
The developer is also a highly qualified reverse engineer. His academic knowledge of how programs are created does not prevent him from making mistakes in the code. He is responsible for developing tools for conducting attacks, and is also able to modify complex and foreign programs. At the same time, it uses a little-known Trojan for patching, which has not previously been found in any other group. In addition, it knows ATM technologies and has access to malware samples, which are usually contained in the databases of information security companies.
Researchers note that even at the beginning of its journey, in the summer of 2016, Silence did not have the skills to hack into banking systems and in the process of its first operations learned directly from the attack. Members of the group carefully analyzed the experience, tactics, and tools of other criminal groups. They constantly tried to put into practice new techniques and methods of theft from various banking systems, including automated control systems of the KBR, ATMs, and card processing.
Skills in reverse engineering and pentest, unique tools that hackers have created to break into banking systems, the choice of an unknown Trojan for patching, as well as numerous erroneous actions confirm the hypothesis that the background of Silence is most likely legitimate. At least one of the hackers worked (or continues to work) for an information security company.
Like most financially motivated APT groups, Silence members speak Russian, as evidenced by the language of program teams, priorities for the location of the leased infrastructure, the choice of Russian-speaking hosters, and the location of targets:

Commands of the Silence Trojan — Russian words typed in the English layout:

• htrjyytrn > reconnect >> reconnect;
• htcnfhn > restart >> restart;
• ytnpflfybq > notasks > > nettasks.

Goals
The group's main targets are also located in Russia, although phishing emails were also sent to bank employees in more than 25 countries. Successful Silence attacks are limited to the CIS and Eastern Europe, and the main targets are located in Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan. However, individual phishing emails were also sent to bank employees in more than 25 countries in Central and Western Europe, Africa and Asia: Kyrgyzstan, Armenia, Georgia, Serbia, Germany, Latvia, Czech Republic, Romania, Kenya, Israel, Cyprus, Greece, Turkey, Taiwan, Malaysia, Switzerland, Vietnam, Austria, Uzbekistan, Great Britain, Hong Kong and others.

The chronology of Silence attacks is as follows:

• 2016, July - unsuccessful attempt to withdraw money through the Russian system of interbank transfers APM KBR. The attackers gained access to the system, but the attack failed due to incorrect preparation of the payment order. The bank stopped a suspicious transaction and responded on its own, trying to eliminate the consequences of the attack. This led to a new incident.
• 2016, August - a new attempt to hack the same bank. Just a month later (!), after the failure of the KBR ARM, hackers restore access to the servers of this bank and make a second attempt to attack. To do this, they downloaded a program for covertly creating screenshots of the user's screen and began to study the operation of pseudo-video stream operators. This time, the bank decided to involve Group-IB experts to respond to the incident. The attack was prevented. However, it was not possible to restore the full chronology of the incident, because when trying to clean up the network on their own, the bank's IT service deleted most of the traces of malicious activity.
• 2017, October - the first known successful withdrawal of money by this group. This time Silence attacked ATMs. In one night, they managed to steal 7,000,000 rubles. In the same year, they conducted DDoS attacks using a Perl IRC bot, using public IRC chats to control Trojans. After a failed attack through the interbank transfer system in 2016, criminals no longer tried to withdraw money through it, even with access to the servers of the KBR automated working system.
• February 2018 - successful attack via card processing: over the weekend, attackers managed to withdraw 35,000,000 rubles from cards via ATMs of a partner bank.
• 2018, April - in just two months, the group returns to the previous scheme and withdraws money through ATMs. They manage to "take out" about 10,000,000 rubles in one night. This time, the programs created by Silence were improved: they got rid of unnecessary functions and previous errors.

Tools and infrastructure
According to Group-IB, during the first operations, Silence hackers used other people's tools and learned literally during the attack. However, over time, they moved from using other people's tools to developing their own and significantly improved their tactics.

In the first operations, cybercriminals patched someone else's poorly distributed Kikothac backdoor. They chose a Trojan known since November 2015, the reverse and implementation of the server part of which did not require much time. The use of someone else's backdoor suggests that the group started working without prior preparation, and the first operations were just an attempt to test their strength.

Later, criminals developed a unique set of tools for attacks on card processing and ATMs, which includes self-written programs:

• Silence is a framework for attacking infrastructure.
• Atmosphere-a set of programs for "eviscerating" ATMs.
• Farse-a utility for getting passwords from an infected computer.
• Cleaner-a tool for deleting remote connection logs.

Borrowed tools:

• Smokebot-a bot for performing the first stage of infection.
• Modified Perl IRC DDoS bot, based on Undernet DDoS bot, for DDoS attacks.

The operator conducts attacks from a Linux machine using the WinExe utility (Linux equivalent of PsExec), which can run programs on a remote node via the SMB protocol. After securing to the system, the Silence Trojan installs stagerMeterpreter on the infected system. To access compromised computers, cybercriminals use RAdmin, a program that administrators themselves install in some banks to remotely manage workstations.

The servers rented by the attackers for phishing attacks are located in Russia and the Netherlands. Under the command centers, they use hosting services from Ukraine, which allows the placement of almost any content, including prohibited information, malicious applications and files. Also, several Silence servers were rented from MaxiDed, whose infrastructure was blocked by Europol in May 2018.
Initially, the group used hacked servers and compromised accounts to send phishing emails, but later criminals began registering phishing domains and creating self-signed certificates for them.
To bypass email filtering systems, they use DKIM and SPF. Emails are sent on behalf of banks that did not have SPF configured, from leased servers with spoofed headers. The attackers compiled complete, competent texts for emails and sent them on behalf of the bank's employees in order to increase the chance of success of the attack.
The email attachment contained exploits for MS Office Word with decoy documents CVE-2017-0199, CVE-2017-11882 + CVE-2018-0802, CVE-2017-0262, and CVE-2018-8174. In addition to exploits, emails were sent with attached CHM files, which is quite rare, as well as with shortcuts .LNKS that run Powershell scripts and JS scripts.

"Silence in many ways revolutionizes the concept of cybercrime: by the nature of attacks, tools, tactics, and even the composition of the group, it is obvious that people who have recently or are currently engaged in legal work – pentests and reverse engineering-are behind these crimes," comments Dmitry Volkov, Technical director and head of cyber intelligence at Group-IB. - They carefully study the activities of other cybercriminals, analyze reports from antivirus and Threat Intelligence companies, which does not prevent them from making a lot of mistakes and learning directly from the attack. A number of Silence's tools are legitimate, while others were developed by them themselves, taking into account the experience of other groups. Studying the activities of Silence, we assumed that this is most likely an example of how whitehat becomes blackhat. The Internet, especially its underground part, opens up many opportunities for such metamorphoses.It is much easier to become a cybercriminal today than it was 5-7 years ago: you can rent servers, modify existing exploits, and use legal utilities. This greatly complicates the work of forensic experts, but greatly simplifies the ability to embark on the path of a hacker."

That's it, shadow runners! While someone jerks off in dotcom or fucks with a loader, normal guys who want to achieve something in this life do normal things, make normal loot and dump into the shadows.