A new wave of cyberattacks on financial institutions using malware called the Silence Trojan has been detected. In contrast to many attacks on banks that target the bank customers, this attack targets the bank itself. The attack method bears a number of similarities to the attacks conducted by the Eastern European hacking group, Carbanak.

The Silence Trojan is being used to target banks and other financial institutions in several countries, although so far, the majority of victims are in Russia. The similarity of the Silence Trojan attacks to Carbanak suggests these attacks could be conducted by Carbanak, or a spinoff of that group, although that has yet to be established.

The attacks start with the malicious actors behind the campaign gaining access to banks’ networks using spear phishing campaigns. Spear phishing emails are sent to bank employees requesting they open an account. The emails are well written, and the premise is believable, especially since in many cases the emails are sent from within using email addresses that have previously been compromised in other attacks. When emails are sent from within, the requests seem perfectly credible.

Some of these emails were intercepted by Kaspersky Lab. Researchers report that the emails contain a Microsoft Compiled HTML Help file with the extension .chm.

These files contain JavaScript, which is run when the attachments are opened, triggering the download of a malicious payload from a hardcoded URL. That initial payload is a VBS script, which in turn downloads the dropper – a Win32 executable binary, which enables contact to be established between the infected machine and the attacker’s C2 server. Further malicious files, including the Silence Trojan, are then downloaded.

The attackers gain persistent access to an infected computer and spend a considerable amount of time gathering data. Screen activity is recorded and transmitted to the C2, with the bitmaps combined to form a stream of activity from the infected device, allowing the attackers to monitor day to day activities on the bank network.

This is not a quick smash and grab raid, but one that takes place over an extended period. The aim of the attack is to gather as much information as possible to maximize the opportunity to steal money from the bank.

Since the attackers are using legitimate administration tools to gather intelligence, detecting the attacks in progress is complicated. Implementing solutions to detect and block phishing attacks can help to keep banks protected.

Since security vulnerabilities are often exploited, organizations should ensure that all vulnerabilities are identified and corrected.  Kaspersky Lab recommends conducting penetration tests to identify vulnerabilities before they are exploited by hackers.

Kaspersky Lab notes that when an organization has already been compromised, the use of .chm attachments in combination with spear phishing emails from within the organization has proved to be a highly effective attack method for conducting cyberattacks on financial institutions.