{ "id": "9652e806-94a7-4932-8e65-3e3fabf081e3", "created_at": "2026-04-06T00:16:13.855579Z", "updated_at": "2026-04-10T03:35:28.870372Z", "deleted_at": null, "sha1_hash": "7248e232bab65f79ad7274ea1049a8b13179916c", "title": "Silence – a new Trojan attacking financial organizations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 383902, "plain_text": "Silence – a new Trojan attacking financial organizations\r\nBy GReAT\r\nPublished: 2017-11-01 · Archived: 2026-04-05 12:41:48 UTC\r\nMore information about the Silence Trojan is available to customers of Kaspersky Intelligence Reporting Service.\r\nContact: intelreports@kaspersky.com\r\nIn September 2017, we discovered a new targeted attack on financial institutions. Victims are mostly Russian\r\nbanks but we also found infected organizations in Malaysia and Armenia. The attackers were using a known but\r\nstill very effective technique for cybercriminals looking to make money: gaining persistent access to an internal\r\nbanking network for a long period of time, making video recordings of the day to day activity on bank employees’\r\nPCs, learning how things works in their target banks, what software is being used, and then using that knowledge\r\nto steal as much money as possible when ready.\r\nWe saw that technique before in Carbanak, and other similar cases worldwide. The infection vector is a spear-phishing email with a malicious attachment. An interesting point in the Silence attack is that the cybercriminals\r\nhad already compromised banking infrastructure in order to send their spear-phishing emails from the addresses of\r\nreal bank employees and look as unsuspicious as possible to future victims.\r\nThe attacks are currently still ongoing.\r\nTechnical details\r\nThe cybercriminals using Silence send spear-phishing emails as initial infection vectors, often using the addresses\r\nof employees of an already infected financial institution, with a request to open an account in the attacked bank.\r\nThe message looks like a routine request. Using this social engineering trick, it looks unsuspicious to the receiver:\r\nhttps://securelist.com/the-silence/83009/\r\nPage 1 of 9\n\nSpear-phishing email in Russian.\r\nMalicious .chm attachment\r\nmd5 dde658eb388512ee9f4f31f0f027a7df\r\nType Windows help .chm file\r\nThe attachment we detected in this new wave is a “Microsoft Compiled HTML Help” file. This is a Microsoft\r\nproprietary online help format that consists of a collection of HTML pages, indexing and other navigation tools.\r\nThese files are compressed and deployed in a binary format with the .CHM (compiled HTML) extension. These\r\nfiles are highly interactive and can run a series of technologies including JavaScript, which can redirect a victim\r\ntowards an external URL after simply opening the CHM. Attackers began exploiting CHM files to automatically\r\nrun malicious payloads once the file is accessed. Once the attachment is opened by the victim, the embedded .htm\r\ncontent file (“start.htm”) is executed. This file contains JavaScript, and its goal is to download and execute another\r\nstage from a hardcoded URL:\r\nPart of start.htm embedded file\r\nThe goal of the script is to download and execute an obfuscated .VBS script which again downloads and executes\r\nthe final dropper\r\nhttps://securelist.com/the-silence/83009/\r\nPage 2 of 9\n\nObfuscated VBS script that downloads binary dropper\r\nDropper\r\nmd5 404D69C8B74D375522B9AFE90072A1F4\r\nCompilation Thu Oct 12 02:53:12 2017\r\nType Win32 executable\r\nThe dropper is a win32 executable binary file, and its main goal is to communicate with the command and control\r\n(C\u0026C) server, send the ID of the infected machine and download and execute malicious payloads.\r\nAfter executing, the dropper connects to the C\u0026C using a GET request, sends the generated victim ID, downloads\r\nthe payloads and executes them using the CreateProcess function.\r\nC\u0026C connect request string with ID\r\nhttps://securelist.com/the-silence/83009/\r\nPage 3 of 9\n\nC\u0026C connect procedure\r\nPayloads\r\nThe payloads are a number of modules executed on the infected system for various tasks like screen recording,\r\ndata uploading etc.\r\nAll the payload modules we were able to identify are registered as Windows services.\r\nMonitoring and control module\r\nmd5 242b471bae5ef9b4de8019781e553b85\r\nCompilation Tue Jul 19 15:35:17 2016\r\nType Windows service executable\r\nThe main task for this module is to monitor the activity of the victim. In order to do so it takes multiple\r\nscreenshots of the victim´s active screen, providing a real-time pseudo-video stream with all the victim´s activity.\r\nA very similar technique was used in the Carbanak case, where this monitoring was used to understand the victim\r\n´s day to day activity.\r\nThe module is registered and started by a Windows service named “Default monitor”.\r\nMalicious service module name\r\nhttps://securelist.com/the-silence/83009/\r\nPage 4 of 9\n\nAfter the initial startup, it creates a Windows named pipe with a hardcoded value – “\\\\.\\pipe\\{73F7975A-A4A2-\r\n4AB6-9121-AECAE68AABBB}”. This pipe is used for sharing data in malicious inter-process communications\r\nbetween modules.\r\nNamed pipe creation\r\nThe malware decrypts a block of data and saves it as a binary file with the hardcoded name “mss.exe” in a\r\nWindows temporary location, and later executes it using the CreateProcessAsUserA function. This dropped binary\r\nis the module responsible for the real-time screen activity recording.\r\nThen, the monitoring module waits for a new dropped module to start in order to share the recorded data with\r\nother modules using the named pipe.\r\nScreen activity gathering module\r\nmd5 242b471bae5ef9b4de8019781e553b85\r\nCompilation Tue Jul 19 15:35:17 2016\r\nType Windows 32 executable\r\nThis module uses both the Windows Graphics Device Interface (GDI) and the Windows API to record victim\r\nscreen activity. This is done using the CreateCompatibleBitmap and GdipCreateBitmapFromHBITMAP functions.\r\nThen the module connects to the named pipe created by the previously described module and writes the data in\r\nthere. This technique allows for the creation of a pseudo-video stream of the victim’s activity by putting together\r\nall the collected bitmaps.\r\nhttps://securelist.com/the-silence/83009/\r\nPage 5 of 9\n\nWriting bitmaps to pipe\r\nC\u0026C communication module with console backconnect\r\nmd5 6A246FA30BC8CD092DE3806AE3D7FC49\r\nCompilation Thu Jun 08 03:28:44 2017\r\nType Windows service executable\r\nThe C\u0026C communication module is a Windows service, as are all the other modules. Its main functionality is to\r\nprovide backconnect access to the victim machine using console command execution. After the service\r\ninitialization, it decrypts the needed Windows API function names, loads them with LoadLibrary and resolves\r\nwith GetProcAddress functions.\r\nWinAPI resolving\r\nAfter successful loading of the WinAPI functions, the malware tries to connect to the C\u0026C server using a\r\nhardcoded IP address (185.161.209[.]81).\r\nC\u0026C IP\r\nThe malware sends a special request to the command server with its ID and then waits for a response, which\r\nconsists of a string providing the code of what operation to execute. The options are:\r\n“htrjyytrn” which is the transliteration of “reconnect” (“реконнект” in russian layout).\r\nhttps://securelist.com/the-silence/83009/\r\nPage 6 of 9\n\n“htcnfhn” which is the transliteration of “restart” (“рестарт” in russian layout).\r\n“ytnpflfybq” which is the transliteration of “нет заданий” meaning “no tasks”\r\nFinally the malware receives instructions on what console commands to execute, which it does using a new\r\ncmd.exe process with a parameter command.\r\nInstruction check\r\nThe described procedure allows attackers to install any other malicious modules. That can be easily done using the\r\n“sc create” console command.\r\nWinexecsvc tool\r\nmd5 0B67E662D2FD348B5360ECAC6943D69C\r\nCompilation Wed May 18 03:58:26\r\nType Windows 64 executable\r\nAlso, on some infected computers we found a tool called the Winexesvc tool. This tool basically provides the\r\nsame functionality as the well-known “psexec” tool. The main difference is that the Winexesvc tool enables the\r\nexecution of remote commands from Linux-based operating system. When the Linux binary “winexe” is run\r\nagainst a Windows server, the winexesvc.exe executable is created and installed as a service.\r\nConclusion\r\nAttacks on financial organization remain a very effective way for cybercriminals to make money. The analysis of\r\nthis case provides us with a new Trojan, apparently being used in multiple international locations, which suggests\r\nit is an expanding activity of the group. The Trojan provides monitoring capabilities similar to the ones used by\r\nthe Carbanak group.\r\nThe group uses legitimate administration tools to fly under the radar in their post-exploitation phase, which makes\r\ndetection of malicious activity, as well as attribution more complicated. This kind of attack has become\r\nwidespread in recent years, which is a very worrisome trend as it demonstrates that criminals are successful in\r\ntheir attacks. We will continue monitoring the activity for this new campaign.\r\nThe spear-phishing infection vector is still the most popular way to initiate targeted campaigns. When used with\r\nalready compromised infrastructure, and combined with .chm attachments, it seems to be a really effective way of\r\nhttps://securelist.com/the-silence/83009/\r\nPage 7 of 9\n\nspreading, at least among financial organizations.\r\nRecommendations\r\nThe effective way of protection from targeted attacks focused on financial organizations are preventive advanced\r\ndetection capabilities such as a solution that can detect all types of anomalies and scrutinize suspicious files at a\r\ndeeper level, be present on users’ systems. The Kaspersky Anti Targeted Attack solution (KATA) matches events\r\ncoming from different infrastructure levels, discerns anomalies and aggregates them into incidents, while also\r\nstudying related artifacts in a safe environment of a sandbox. As with most Kaspersky products, KATA is powered\r\nby HuMachine Intelligence, which is backed by on premise and in lab-running machine learning processes\r\ncoupled with real-time analyst expertise and our understanding of threat intelligence big data.\r\nThe best way to prevent attackers from finding and leveraging security holes, is to eliminate the holes altogether,\r\nincluding those involving improper system configurations or errors in proprietary applications. For this,\r\nKaspersky Penetration Testing and Application Security Assessment services can become a convenient and highly\r\neffective solution, providing not only data on found vulnerabilities, but also advising on how to fix it, further\r\nstrengthening corporate security.\r\nIOC’s\r\nKaspersky lab products detects the Silence trojan with the following verdicts:\r\nBackdoor.Win32.Agent.dpke\r\nBackdoor.Win32.Agent.dpiz\r\nTrojan.Win32.Agentb.bwnk\r\nTrojan.Win32.Agentb.bwni\r\nTrojan-Downloader.JS.Agent.ocr\r\nHEUR:Trojan.Win32.Generic\r\nFull IOC’s and YARA rules delivered with private report subscription.\r\nMD5\r\nDde658eb388512ee9f4f31f0f027a7df\r\n404d69c8b74d375522b9afe90072a1f4\r\n15e1f3ce379c620df129b572e76e273f\r\nD2c7589d9f9ec7a01c10e79362dd400c\r\n1b17531e00cfc7851d9d1400b9db7323\r\n242b471bae5ef9b4de8019781e553b85\r\n324D52A4175722A7850D8D44B559F98D\r\n6a246fa30bc8cd092de3806ae3d7fc49\r\nB43f65492f2f374c86998bd8ed39bfdd\r\ncfffc5a0e5bdc87ab11b75ec8a6715a4\r\nhttps://securelist.com/the-silence/83009/\r\nPage 8 of 9\n\nSource: https://securelist.com/the-silence/83009/\r\nhttps://securelist.com/the-silence/83009/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia", "MITRE" ], "references": [ "https://securelist.com/the-silence/83009/" ], "report_names": [ "83009" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434573, "ts_updated_at": 1775792128, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7248e232bab65f79ad7274ea1049a8b13179916c.pdf", "text": "https://archive.orkl.eu/7248e232bab65f79ad7274ea1049a8b13179916c.txt", "img": "https://archive.orkl.eu/7248e232bab65f79ad7274ea1049a8b13179916c.jpg" } }