Bank Robbery: Cyber Criminals Steal $1Billion

A cybercrime outfit stealing from as many as 10 banks in Russia, Armenia and Malaysia is alleged to have stolen possibly as much as $1 billion worldwide from financial organisations.

The new group has been called Silence by researchers at Kaspersky Lab who recently published a report about the criminals’ activities, which bear a sharp resemblance to Carbanak. But the relationship apparently ends at imitation.

“They are not Carbanak,” said Kaspersky Lab researcher Sergey Lozhkin. “They are using some of the same techniques at some points, but that’s it.”

Kaspersky Lab said it did not have information on the gang’s success, nor how much it had stolen to date. The attacks, however, are ongoing, the researchers said.

The researchers called the group’s attacks “targeted,” using spear phishing and a number of different means to maintain persistence on a bank’s internal network, monitor employee and system activities, and eventually stealing money.

“We have seen this trend growing recently, as more and more slick and professional APT-style cyber-robberies emerge and succeed,” Lozhkin said. “The most worrying thing here is that due to their, in-the-shadow, approach these attacks may succeed regardless of the peculiarities of each bank’s security architecture.”

The spear-phishing emails contain attachments that eventually download and execute a dropper that reaches out to the attacker’s infrastructure. The backdoor is used to send system information and execute malicious code that uploads data, steals credentials and initiates tasks such as screen recording, which was a hallmark of Carbanak.

Silence, like Carbanak, uses these screen grabs to essentially create a video recording of daily activity on employees’ computers, amassing knowledge about internal processes before stealing money.

“We saw that technique before in Carbanak, and other similar cases worldwide,” Kaspersky Lab said in its report.

Kaspersky Lab said that the Silence gang’s spear-phishing emails are sent from an already-compromised financial network.

“The cyber-criminals using Silence send spear-phishing emails as initial infection vectors, often using the addresses of employees of an already infected financial institution, with a request to open an account in the attacked bank,” Kaspersky Lab’s report said. “The message looks like a routine request. Using this social engineering trick, it looks unsuspicious to the receiver.”

Silence also makes use of a proprietary Microsoft online help format called Microsoft Compiled HTML Help, or CHM. CHM files are interactive and can run JavaScript, for example, which the attackers use to redirect victims to external URLs.

“Attackers began exploiting CHM files to automatically run malicious payloads once the file is accessed. Once the attachment is opened by the victim, the embedded .htm content file (“start.htm”) is executed,” Kaspersky Lab said. “This file contains JavaScript, and its goal is to download and execute another stage from a hardcoded URL.”

Once the dropper is unpacked and executed from the attacker’s command and control server, a number of payload modules are dropped that spy on systems and employees.

One of those modules is the screen monitor, which uses the Windows GDI and API tools to record screen activity using the CreateCompatibleBitmap and GdipCreateBitmapFromHBITMAP functions, Kaspersky Lab said.

Threatpost

You Might Also Read:

Phishing Is  The Top Cyberattack Vector In 2017:

Russian Cyber Gang Arrested By …. Russia:

Thieves Drain Protected Bank Accounts:

 

« NotPetya Much Worse Than WannaCry
North Korea Denies Involvement In WannaCry »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Intercede

Intercede

Intercede is a cybersecurity company specializing in digital identities, derived credentials and access control, enabling digital trust in a mobile world.

Cyfor

Cyfor

Cyfor provides digital forensics and eDiscovery in civil, criminal, intellectual property, litigation and dispute resolution investigations.

Phoenix Contact Cyber Security

Phoenix Contact Cyber Security

Phoenix Contact Cyber Security is a leading manufacturer of network security appliances for use in industrial environments.

bwtech@UMBC

bwtech@UMBC

The bwtech@UMBC Cyber Incubator is an innovative business incubation program that delivers business and technical support to start-up and early-stage cybersecurity/IT products and services companies.

Invensity

Invensity

INVENSITY is an interdisciplinary technology and innovation consulting company. Centres of excellence include Cyber Security and Data Privacy.

InterGuard

InterGuard

As the pioneer for Unified Insider Threat Prevention and productivity monitoring tools, InterGuard offers on premise and SaaS-based services that are easily available and affordable.

SecureDrives

SecureDrives

Passwordless Authentication & Encrypted Data Storage Solutions from SecureDrives. We are enabling organisations to work safely and securely, using technology driven solutions.

Finnish Security & Intelligence Service (SUPO)

Finnish Security & Intelligence Service (SUPO)

The Finnish Security and Intelligence Service is a government agency tasked with combating serious threats to national security in Finland.

Saporo

Saporo

Saporo helps organizations increase their cyber-resistance. Continuously map your attack surface and get the recommendations you need to make your organization more resistant to attacks.

Arcanna.ai

Arcanna.ai

Using a wide range of out-of-the box integrations, Arcanna.ai continuously learns from existing enterprise cybersecurity experts and scales your team’s capacity to deal with threats.

Data Defenders

Data Defenders

Data Defenders provide information security technology solutions that empower consumers, businesses and governments with safe and secure IT and cybersecurity infrastructures.

All About Cookies

All About Cookies

All About Cookies is an informational website that provides tips, advice, and recommendations to help you with Online Privacy, Identity Theft Prevention, Antivirus Protection, and Digital Security.

Institute for Applied Network Security (IANS)

Institute for Applied Network Security (IANS)

For the security practitioner caught between rapidly evolving threats and demanding executives, IANS Research is a clear-headed resource for decision making and articulating risk.

AI Security Institute (AISI)

AI Security Institute (AISI)

The AI Security Institute’s mission is to minimise surprise to the UK and humanity from rapid and unexpected advances in AI.

Treacle Technologies

Treacle Technologies

Treacle Technologies are a Cyber Security startup with a focus on Defensive Security.

5S Technologies

5S Technologies

5S Technologies is a regional IT solutions and services provider based in Cary, NC and serving the Carolinas.