Silence
Associated Group Descriptions |
|
Name | Description |
---|---|
Whisper Spider | (Citation: Crowdstrike GTR2020 Mar 2020) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Silence has used |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Silence has used PowerShell to download and execute payloads.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: Group IB Silence Sept 2018) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
Silence has used Windows command-line to run commands.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018) |
||
.005 | Command and Scripting Interpreter: Visual Basic |
Silence has used VBS scripts.(Citation: Cyber Forensicator Silence Jan 2019) |
||
.007 | Command and Scripting Interpreter: JavaScript |
Silence has used JS scripts.(Citation: Cyber Forensicator Silence Jan 2019) |
||
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Silence has deleted artifacts, including scheduled tasks, communicates files from the C2 and other logs.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: Group IB Silence Sept 2018) |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Silence has named its backdoor "WINWORD.exe".(Citation: Group IB Silence Sept 2018) |
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Silence has used the Farse6.1 utility (based on Mimikatz) to extract credentials from lsass.exe.(Citation: Group IB Silence Sept 2018) |
Enterprise | T1027 | .010 | Obfuscated Files or Information: Command Obfuscation |
Silence has used environment variable string substitution for obfuscation.(Citation: Cyber Forensicator Silence Jan 2019) |
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
Silence has obtained and modified versions of publicly-available tools like Empire and PsExec.(Citation: Group IB Silence Aug 2019) (Citation: SecureList Silence Nov 2017) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Silence has sent emails with malicious DOCX, CHM, LNK and ZIP attachments. (Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018) |
Enterprise | T1090 | .002 | Proxy: External Proxy |
Silence has used ProxyBot, which allows the attacker to redirect traffic from the current node to the backconnect server via Sock4\Socks5.(Citation: Group IB Silence Sept 2018) |
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
Silence has used RDP for lateral movement.(Citation: Group IB Silence Sept 2018) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Silence has used scheduled tasks to stage its operation.(Citation: Cyber Forensicator Silence Jan 2019) |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Silence has used a valid certificate to sign their primary loader Silence.Downloader (aka TrueBot).(Citation: Group IB Silence Aug 2019) |
Enterprise | T1218 | .001 | System Binary Proxy Execution: Compiled HTML File |
Silence has weaponized CHM files in their phishing campaigns.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Aug 2019)(Citation: Group IB Silence Sept 2018) |
Enterprise | T1569 | .002 | System Services: Service Execution |
Silence has used Winexe to install a service on the remote system.(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018) |
Enterprise | T1204 | .002 | User Execution: Malicious File |
Silence attempts to get users to launch malicious attachments delivered via spearphishing emails.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018) |
References
- Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
- Group-IB. (2019, August). Silence 2.0: Going Global. Retrieved May 5, 2020.
- Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019.
- GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019.
- Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.