The document describes the Silence cybercrime group that has been conducting attacks against financial institutions from 2016-2018. It details the group's members and roles, targets in various countries, tools used (including their custom Silence framework and Atmosphere ATM cashout software), and spear phishing techniques. The Silence framework includes modules for command and control, surveillance of infected systems, and proxy bots. Atmosphere has evolved over time to better control ATMs and reduce logging of cashouts.

1. Silence Group , Source: Group-IB
Speaker :

2. CyberCrime Attacking Financial Institutions
Source: Group-IB

3. Silence Timeline 2016 - 2018
Source: Group-IB

4. Team members and Roles
Developer Operator
Developer has high-skilled reverse
engineer, but less skilled in
programing, logical errors are
common in his code
Role in group
- Develop tools for conducting
attacks
- Modify complex exploits and
software
Has in-depth knowledge of penetration
testing that allow him to freely navigate
inside bank networks without detection.
Role in group
- Gain access to protected systems
inside the bank
- Lunch the thief process

5. Geography
Main targets:
Successful silence attacks are limited to the CIS countries and
Eastern EU, and the main goals are in Russia, Ukraine, Belarus,
Azerbaijan, Poland, Kazakhstan.
Separate attempts:
Invividual phishin emails were also sent to bank employees in
More than 25 countries in Central and Western EU, Africa and
Asia:
Kyrgyzstan, Armenia, Georgia, Serbia, Germany, Latvia, Kenya,
Czech Republic, Romania, Kenya, Israel, Cyprus, Greece, Turkey,
Taiwan, Malaysia, Switzerland, Vietnam, Austria, Hong Kong,
Great Britain, and Others.

6. Tools
Self-written programs
Silence - main attack framework
Atmosphere - a set of programs to withdraw ATM
remotely
Farse - utility for retrieving passwords from an
infected computer
Cleaner - remote connection log removal tool
3rd party tools
Smoke bot - bot for the first stage of infection
Modified Perl IRC DDos bot - based on Undernet
DDoS bot, for DDos attacks
Meterpreter - Metasploit framework payload
Exploits
In email attachments:
CVE-2017-0199, CVE-2017-11882, CVE-2018-0802,
CVE-2017-0262, CVE-2018-8174
Privileges escalation:
CVE-2018-4250, CVE-2017-0143, CVE-2017-0263
Legitimate utilities
Listdlls - show downloaded DLLs in the OS.
RogueKiller - small AV tool
Sdelete - file wiper
WinExe - utility for remote management of windows
machine via the SMB protocol.

7. Silence framework
Silence framework component:
- Silence.MainModule
- Silence.SurveillanceModule
- Silence.ProxyBot
Backdoor.Kikothac
Source : https://www-west.symantec.com/content/symantec/english/en_gb/security-center/writeup.html/2015-110423-0955-99

8. Silence.MainModule
MainModule List of possible types of connection with C&C
The main body of the Trojan after the launch registers
Itself in the startup, after which it registers on the
Server, and then goes on to the cycle of getting and
Executing commands.
Persistance
Check registry keys:
● HKCUSoftwareMicrosoftWindowsCurrentVersionRun
● HKLMSoftwareMicrosoftWindowsCurrentVersionRun
And add: <<javaplatform>> = <path_to_exe>

9. Silence.ProxyBot
ProxyBot
All programs of the silence framework are written in C++,
Except for Silence.ProxyBot it written in Delphi. A little
Later the group switched to Silence.ProxyBot.NET,
Which was written in C#.
The goal of this program is to redirect traffic through the
Infected computer from the external server of the attacker
To the local nodes of the compromised network, access to
Which from the outside is closed.
Silence.ProxyBot
Silence.ProxyBot.Net

10. Silence.SurveillanceModule
SurveillanceModule
Hiddenly creates desktop images, from which it was
then possible to glue a pseudo-video stream. Runs as
a service with name <<default monitor>>
Sandbox detection
For this purpose, the presence of user activity for a
specified period of time is checked.
Scheme of work
Read file <<mss.txt>>, which should be in the same
directory. The file contains the user name from which you
want to start the program.
Unpack and save file to
C:Users<%username%>AppDataLocalTempmss.exe
Run <<mss.exe>> on behalf of the user specified in
<<mss.txt>>
Read data from pipe, covert it to <<image/png>> and save
into the file C:Users<%username%>AppDataLocalTempout.dat

11. Spear phishing
Phishing from compromise server and public mail service
providers mail.com & att.net
Email from domain that are consonant with banking
Email on behalf of real and consonant with banking
domains without SPF.
Attachments
Exploits for MS Office Word with decoy documents
CVE-2017-0199, CVE-2017-11882,
CVE-2017-0802, CVE-2017-0262, CVE-2017-8174
In addition to exploits, letters with attached CHM
files were sent. Which is rare, as well as with .LNK
shortcuts that run Powershell scripts and JS scripts

12. Atmosphere
To control the ATM dispenser, Silence users a unique software call Atmosphere. Over time the Trojan has
significantly evolved to address the needs of the criminals.
In the latest version, program did not process commands from pinpad, and the generate log became smaller.

13. Atmosphere
Source of the name:
● c:reposatmosphereLibrarybinDebuglibrary.pdb
● c:reposatmosphereDropperDebugdropper_debug.pdb
Command Function
B Get information on the content of ATM cassettes. In addition, the string “cash unit info received” is added into log
A Get information on the content of ATM cassettes without logging.
Q Get information on the content of ATM cassettes.
D One-time withdrawal of notes of the specific face value from the ATM
H Suspend all threads in process except it own. Then use functions GetThreadContext + SetThreadContext to redirect theri
execution to it own function
M,R,S,P,T,L Record the output of latest command into the c:intel<chrs>.007 file. This command is also executed after any other by
default.