Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Silence
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Silence
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Silence

Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)
ID: G0091
Associated Groups: Whisper Spider
Version: 2.1
Created: 24 May 2019
Last Modified: 02 Jun 2022

Associated Group Descriptions
Name Description
Whisper Spider (Citation: Crowdstrike GTR2020 Mar 2020)

Techniques Used
Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Silence has used HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKLM\Software\Microsoft\Windows\CurrentVersion\Run, and the Startup folder to establish persistence.(Citation: Group IB Silence Sept 2018)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Silence has used PowerShell to download and execute payloads.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: Group IB Silence Sept 2018)
.003 Command and Scripting Interpreter: Windows Command Shell

Silence has used Windows command-line to run commands.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)

.005 Command and Scripting Interpreter: Visual Basic

Silence has used VBS scripts.(Citation: Cyber Forensicator Silence Jan 2019)

.007 Command and Scripting Interpreter: JavaScript

Silence has used JS scripts.(Citation: Cyber Forensicator Silence Jan 2019)

Enterprise T1070 .004 Indicator Removal: File Deletion

Silence has deleted artifacts, including scheduled tasks, communicates files from the C2 and other logs.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: Group IB Silence Sept 2018)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Silence has named its backdoor "WINWORD.exe".(Citation: Group IB Silence Sept 2018)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Silence has used the Farse6.1 utility (based on Mimikatz) to extract credentials from lsass.exe.(Citation: Group IB Silence Sept 2018)
Enterprise T1588 .002 Obtain Capabilities: Tool

Silence has obtained and modified versions of publicly-available tools like Empire and PsExec.(Citation: Group IB Silence Aug 2019) (Citation: SecureList Silence Nov 2017)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Silence has sent emails with malicious DOCX, CHM, LNK and ZIP attachments. (Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)
Enterprise T1090 .002 Proxy: External Proxy

Silence has used ProxyBot, which allows the attacker to redirect traffic from the current node to the backconnect server via Sock4\Socks5.(Citation: Group IB Silence Sept 2018)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Silence has used RDP for lateral movement.(Citation: Group IB Silence Sept 2018)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Silence has used scheduled tasks to stage its operation.(Citation: Cyber Forensicator Silence Jan 2019)
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Silence has used a valid certificate to sign their primary loader Silence.Downloader (aka TrueBot).(Citation: Group IB Silence Aug 2019)
Enterprise T1218 .001 System Binary Proxy Execution: Compiled HTML File

Silence has weaponized CHM files in their phishing campaigns.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Aug 2019)(Citation: Group IB Silence Sept 2018)
Enterprise T1569 .002 System Services: Service Execution

Silence has used Winexe to install a service on the remote system.(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)
Enterprise T1204 .002 User Execution: Malicious File

Silence attempts to get users to launch malicious attachments delivered via spearphishing emails.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)

Software
ID Name References Techniques
S0363 Empire (Citation: EmPyre) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: Group IB Silence Aug 2019) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) Video Capture, Distributed Component Object Model, LLMNR/NBT-NS Poisoning and SMB Relay, System Network Configuration Discovery, PowerShell, Domain Trust Discovery, Keylogging, Obfuscated Files or Information, Local Account, Screen Capture, Network Service Discovery, Credentials In Files, Archive Collected Data, Group Policy Modification, Exfiltration Over C2 Channel, Commonly Used Port, System Information Discovery, Clipboard Data, Exploitation for Privilege Escalation, Automated Exfiltration, Accessibility Features, Automated Collection, Group Policy Discovery, Domain Account, Security Support Provider, SSH, Kerberoasting, SID-History Injection, Path Interception by Unquoted Path, Registry Run Keys / Startup Folder, Network Share Discovery, Path Interception by Search Order Hijacking, Golden Ticket, Exploitation of Remote Services, Service Execution, Exfiltration to Code Repository, File and Directory Discovery, Credential API Hooking, Path Interception by PATH Environment Variable, Native API, Windows Management Instrumentation, Process Injection, Pass the Hash, Browser Bookmark Discovery, MSBuild, Private Keys, Exfiltration to Cloud Storage, Web Protocols, Access Token Manipulation, Network Sniffing, Local Email Collection, Windows Command Shell, Bidirectional Communication, Credentials from Web Browsers, Security Software Discovery, Local Account, Dylib Hijacking, System Network Connections Discovery, Scheduled Task, LSASS Memory, Asymmetric Cryptography, Create Process with Token, Windows Service, Command and Scripting Interpreter, Process Discovery, Ingress Tool Transfer, Timestomp, Shortcut Modification, DLL Search Order Hijacking, Domain Account, System Owner/User Discovery, Bypass User Account Control, Silver Ticket
S0191 Winexe (Citation: SecureList Silence Nov 2017) (Citation: Überwachung APT28 Forfiles June 2015) (Citation: Winexe Github Sept 2013) Service Execution
S0195 SDelete (Citation: Group IB Silence Sept 2018) (Citation: Microsoft SDelete July 2016) File Deletion, Data Destruction

References

  1. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  2. Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019.
  3. GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019.
  4. Group-IB. (2019, August). Silence 2.0: Going Global. Retrieved May 5, 2020.
  5. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.