Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа Silence
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Silence
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Silence

Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)
ID: G0091
Associated Groups: Whisper Spider
Version: 2.2
Created: 24 May 2019
Last Modified: 17 Nov 2024

Associated Group Descriptions
Name Description
Whisper Spider (Citation: Crowdstrike GTR2020 Mar 2020)

Techniques Used
Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Silence has used HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKLM\Software\Microsoft\Windows\CurrentVersion\Run, and the Startup folder to establish persistence.(Citation: Group IB Silence Sept 2018)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Silence has used PowerShell to download and execute payloads.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: Group IB Silence Sept 2018)
.003 Command and Scripting Interpreter: Windows Command Shell

Silence has used Windows command-line to run commands.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)

.005 Command and Scripting Interpreter: Visual Basic

Silence has used VBS scripts.(Citation: Cyber Forensicator Silence Jan 2019)

.007 Command and Scripting Interpreter: JavaScript

Silence has used JS scripts.(Citation: Cyber Forensicator Silence Jan 2019)

Enterprise T1070 .004 Indicator Removal: File Deletion

Silence has deleted artifacts, including scheduled tasks, communicates files from the C2 and other logs.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: Group IB Silence Sept 2018)

Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

Silence has named its backdoor "WINWORD.exe".(Citation: Group IB Silence Sept 2018)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Silence has used the Farse6.1 utility (based on Mimikatz) to extract credentials from lsass.exe.(Citation: Group IB Silence Sept 2018)
Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

Silence has used environment variable string substitution for obfuscation.(Citation: Cyber Forensicator Silence Jan 2019)
Enterprise T1588 .002 Obtain Capabilities: Tool

Silence has obtained and modified versions of publicly-available tools like Empire and PsExec.(Citation: Group IB Silence Aug 2019) (Citation: SecureList Silence Nov 2017)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Silence has sent emails with malicious DOCX, CHM, LNK and ZIP attachments. (Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)
Enterprise T1090 .002 Proxy: External Proxy

Silence has used ProxyBot, which allows the attacker to redirect traffic from the current node to the backconnect server via Sock4\Socks5.(Citation: Group IB Silence Sept 2018)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Silence has used RDP for lateral movement.(Citation: Group IB Silence Sept 2018)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Silence has used scheduled tasks to stage its operation.(Citation: Cyber Forensicator Silence Jan 2019)
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Silence has used a valid certificate to sign their primary loader Silence.Downloader (aka TrueBot).(Citation: Group IB Silence Aug 2019)
Enterprise T1218 .001 System Binary Proxy Execution: Compiled HTML File

Silence has weaponized CHM files in their phishing campaigns.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Aug 2019)(Citation: Group IB Silence Sept 2018)
Enterprise T1569 .002 System Services: Service Execution

Silence has used Winexe to install a service on the remote system.(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)
Enterprise T1204 .002 User Execution: Malicious File

Silence attempts to get users to launch malicious attachments delivered via spearphishing emails.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)

Software
ID Name References Techniques
S0363 Empire (Citation: EmPyre) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: Group IB Silence Aug 2019) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) Scheduled Task, Windows Management Instrumentation, Screen Capture, System Owner/User Discovery, Keylogging, Path Interception by PATH Environment Variable, Bypass User Account Control, Group Policy Discovery, Local Email Collection, Domain Account, Local Account, Windows Service, SSH, DLL, Automated Collection, Clipboard Data, Network Sniffing, Network Share Discovery, System Information Discovery, Native API, Process Injection, Timestomp, Shortcut Modification, Security Support Provider, Archive Collected Data, Credentials from Web Browsers, Path Interception by Search Order Hijacking, Group Policy Modification, Browser Information Discovery, Private Keys, Local Account, LLMNR/NBT-NS Poisoning and SMB Relay, LSASS Memory, Create Process with Token, Distributed Component Object Model, Video Capture, System Network Configuration Discovery, Accessibility Features, Command and Scripting Interpreter, Domain Account, Domain Trust Discovery, Golden Ticket, Automated Exfiltration, File and Directory Discovery, System Network Connections Discovery, Credentials In Files, Exfiltration to Code Repository, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Exploitation of Remote Services, Registry Run Keys / Startup Folder, Exploitation for Privilege Escalation, SID-History Injection, Bidirectional Communication, Asymmetric Cryptography, Exfiltration to Cloud Storage, Path Interception by Unquoted Path, MSBuild, Security Software Discovery, Windows Command Shell, Silver Ticket, Command Obfuscation, Access Token Manipulation, Web Protocols, Network Service Discovery, Pass the Hash, Ingress Tool Transfer, Service Execution, Kerberoasting, Credential API Hooking, Commonly Used Port, Dylib Hijacking
S0191 Winexe (Citation: SecureList Silence Nov 2017) (Citation: Winexe Github Sept 2013) (Citation: Überwachung APT28 Forfiles June 2015) Service Execution
S0195 SDelete (Citation: Group IB Silence Sept 2018) (Citation: Microsoft SDelete July 2016) Data Destruction, File Deletion

References

  1. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  2. Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved November 17, 2024.
  3. Group-IB. (2019, August). Silence 2.0: Going Global. Retrieved May 5, 2020.
  4. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  5. GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.