Shush... Russian Banks Under Phishing Attack

Uploaded on 2018-11-22 in NEWS-Cybersecurity News, INTELLIGENCE-Hot Spots-Russia, FREE TO VIEW, BUSINESS-Services-Financial, TECHNOLOGY--Hackers

Banks in Russia were the target of a massive phishing campaign  beginning last week that aimed to deliver a tool used by the Silence group of hackers. 

The group is believed to have a background in legitimate infosec activities and access to documentation specific to the financial sector.

Hackers rooted in the white-hat part of the business moonlight as bank robbers, pouring their knowledge and skills into creating and modifying malware that allows them to infiltrate financial institutions.

The group Silence is believed to have only two members and shows perseverance as well as the ability to learn from its own failures.

The fraudulent emails purported to come from the Central Bank of Russia (CBR) and contained a malicious attachment. The message body lured the recipients to open the attachment in order to check the latest details on the "standardisation of the format of CBR's electronic communications."

Email authentication mechanism saves the day

International cybersecurity company Group-IB investigated the attack and noticed that the style and format of the fake communication were very similar to the official CBR correspondence. This supports the theory that the attackers had access to legitimate emails from CBR.

If Silence hackers have any ties with the legal side of reverse engineering and penetration testing, it is very likely that they are familiar with the documentation used by financial institutions and with how banking systems work.

In a report published today, Group-IB says that the attackers spoofed the sender's email address but the messages did not pass the DKIM (DomainKeys Identified Mail) validation. DKIM is a solution specifically designed to prevent forged email addresses by adding to the message a signature that confirms its authenticity.

Banks see more spear-phishing from a different group

The Silence hackers are not the only ones trying their spear-phishing game on Russian banks. On October 23, another notorious group, MoneyTaker, ran a similar campaign against the same type of targets.

Their message spoofed an email address from the Financial Sector Computer Emergency Response Team (FinCERT) and contained five attachments disguised as documents from CBR.

"Three out of five files were empty decoy documents, but two contained a download for the Meterpreter Stager. To carry out the attack, hackers used self-signed SSL certificates," says Rustam Mirkasymov, Group-IB Head of Dynamic Analysis of malware department and threat intelligence expert.

These clues, along with server infrastructure associated with the MoneyTaker group, allowed the security experts to identify the perpetrator.

As in the case of Silence, this attacker is also thought to have had access to CBR documents, most likely from compromised inboxes of Russian banks employees. This allowed them to craft messages that would pass even eyes trained in spotting fraudulent emails.

Silence and MoneyTaker are dangerous threats to Banks

According to Group-IB, multiple groups use the Central Bank of Russia in spear-phishing operations, and for good reason, since the organisation dictates regulations to financial institutions in the country and maintains a constant communication flow with them.

Mirkasymov says that Silence and MoneyTaker are the most dangerous of all groups that threaten financial organisations. Referring to the latter, the expert says that its repertoire also includes drive-by attacks and testing the network for vulnerabilities. 

The goal is to access the internal nodes that enable them to withdraw money from ATMs, process cards or interbank transfers.

Although Silence uses mainly phishing, they are more careful about crafting the message, paying attention to both content and design, adds Group-IB's threat intelligence expert.

Bleeping Computer:

You Might Also Read:

Don't Underestimate The Impact Of Phishing

How Cyber Attackers Stole £2.26m From Tesco Bank Customers:

 

« Next-Gen Robotic Process Automation Leverages AI And Machine Learning
Russian Cyber Security Firm Kaspersky Moves Away From Moscow »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

evoila

evoila

evoila GmbH is one of the leading providers in consulting, analysis, implementation and management of cloud infrastructure.

Backup112

Backup112

Backup112 has been delivering professional cloud backup services since 2004.

Exprivia

Exprivia

Exprivia is active in the design, development and integration of IT systems including cyber security.

Nohau

Nohau

Nohau provide services for safe and secure embedded software development.

Cyberwrite

Cyberwrite

Cyberwrite was founded to provide underwriters around the world a unique and innovative Cyber Underwriting platform.

WiJungle

WiJungle

WiJungle is an Indian Cyber Security Company that develops and markets a unified network security gateway solution.

GlobalPlatform

GlobalPlatform

GlobalPlatform’s specifications are highly regarded as the international standard for enabling digital services and devices to be trusted and securely managed throughout their lifecycle.

CyBOK - University of Bristol

CyBOK - University of Bristol

CyBOK is a comprehensive Body of Knowledge to inform and underpin education and professional training for the cyber security sector.

CHT Security

CHT Security

CHT Security is a Managed Security Service Provider (MSSP) specialized in cyber security technologies enabling enterprises to defense against cyber threats to networks, gateways and endpoints.

PeckShield

PeckShield

PeckShield is a blockchain security company which aims to elevate the security, privacy, and usability of entire blockchain ecosystem by offering top-notch, industry-leading services and products.

NetSPI

NetSPI

NetSPI is an information security penetration testing and vulnerability assessment management advisory firm.

VLATACOM Institute

VLATACOM Institute

Vlatacom Institute is privately owned accredited research and development institute, system integrator and turn-key solution provider. Areas of expertise include encryption and authentication.

Mutare

Mutare

For three decades, Mutare has been empowering organizations to re-imagine a better way to connect through our transformative voice security, digital voice and text messaging solutions.

OneCollab

OneCollab

OneCollab, your unwavering ally in the dynamic landscape of IT services and cybersecurity.

BioID

BioID

BioID are a German company offering deepfake detection, liveness detection, facial authentication & identity verification as a Service. 

Tuskira

Tuskira

Tuskira is a Preemptive Cyber Defense & Response Platform powered by Agentic AI, designed to go beyond traditional vulnerability management.