Group-IB: new financially motivated attacks in Western Europe traced to Russian-speaking threat actors

Group-IB, a Singapore-based cybersecurity company that specializes in preventing cyberattacks, has detected successful attacks in Western Europe carried out in late January 2020. At least two companies operating in pharmaceutical and manufacturing sectors have been affected. Group-IB has immediately contacted the victims upon discovery. The tools used in the attacks were traced to Silence and TA505 Russian-speaking financially-motivated groups.

According to industry researchers, TA505 is known to have carried out attacks on banks, medical institutions retailers and other businesses in the past. At the same time, banks and financial organizations have long been the only targets of Silence. If the latter are the ones to blame, this marks the first time the gang has launched the attacks against pharmaceutical and manufacturing companies and may indicate a significant shift in their modus operandi.

The malware samples used in the European attacks showed up on VirusTotal on February 2 and have been classified as Silence.ProxyBot (MD5: ce04972114bbd5844aa2f63d83cdd333) and 2 upgraded versions of Silence.MainModule (363df0b3c8b7b390573d3a9f09953feb & 800060b75675493f2df6d9e0f81474fd). During the analysis of these samples Group-IB Threat Hunting Intelligence team has identified at least two affected companies from Belgium and Germany. The victims have been notified by Group-IB and provided with all the information to stop the incidents. In addition to the victims, Group-IB experts have managed to establish the CnCs used during the attacks 195.123.246[.]126 and 37.120.145[.]253. The former has been active since late January 2020. Further analysis of cybercriminals’ infrastructure revealed two other executables had likely been deployed during the European campaign: an LPE exploit for for CVE-2019-1405 and CVE-2019-1322 (comahawk.exe) and a Meterpreter stager TinyMet. It’s important to note that TinyMet was compressed using a packer developed by TA505 a longtime friend of Silence in the business.

The alleged connection between Silence and TA505 was described in Group-IB’s recent report “Silence 2.0: Going Global” for the first time. FlawedAmmyy, a RAT that provides full access to infected machines, is reported to have been used in some of TA505 recent attacks. Group-IB researchers carried out comparative analysis of Silence.Downloader and FlawedAmmyy.Downloader which revealed that these programs were likely developed by the same person a Russian speaker who is active on underground forums. In late 2019, Group-IB’s DFIR specialists were called in to address Silence’s attack in Europe which was also carried out with the help of TA505: the latter likely provided access to the compromised bank’s network to the Silence gang. The latest Group-IB’s findings confirm the connection between the two threat actors.

While the extent of the damage caused is yet unknown, the choice of the targets, that are unorthodox for Silence, gives some basis to believe that this was either a ransomware attack or these companies were compromised as part of a complex supply-chain attack. Having analyzed the toolset used in the campaign we can assume with moderate confidence that Silence was behind the attacks. There is always a possibility that Silence’s tools could have been sold to another threat actor or borrowed by TA505, for example. Slight modifications of Silence.ProxyBot and Silence.MainModule can be explained by the gang’s attempts to avoid detection as a result of being in the spotlight of security researchers for some time now.

Rustam Mirkasymov

Head of Dynamic Malware Analysis Department at Group-IB

According to Group-IB’s «Silence 2.0: Going Global» report, issued in August, Silence significantly expanded their geography and increased the frequency of their attacks. The total confirmed amount of funds stolen by Silence has increased fivefold since the publication of Group-IB’s original report on Silence, and is now estimated at USD 4.2 million. Group-IB’s Threat Intelligence team established that Silence has made a number of changes to its TTPs and enhanced its arsenal. Given that the gang represents a growing threat, both of Group-IB’s reports on Silence («Silence: Moving into the darkside» and its sequel, «Silence 2.0: Going Global») have been made publicly available to help cybersecurity specialists with proper attribution and prevention of new incidents.

About Group-IB

Founded in 2003 and headquartered in Singapore, Group-IB is a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime. Combating cybercrime is in the company’s DNA, shaping its technological capabilities to defend businesses, citizens, and support law enforcement operations.

Group-IB’s Digital Crime Resistance Centers (DCRCs) are located in the Middle East, Europe, Central Asia, and Asia-Pacific to help critically analyze and promptly mitigate regional and country-specific threats. These mission-critical units help Group-IB strengthen its contribution to global cybercrime prevention and continually expand its threat-hunting capabilities.

Group-IB’s decentralized and autonomous operational structure helps it offer tailored, comprehensive support services with a high level of expertise. We map and mitigate adversaries’ tactics in each region, delivering customized cybersecurity solutions tailored to risk profiles and requirements of various industries, including retail, healthcare, gambling, financial services, manufacturing, crypto, and more.

The company’s global security leaders work in synergy with some of the industry’s most advanced technologies to offer detection and response capabilities that eliminate cyber disruptions agilely.

Group-IB’s Unified Risk Platform (URP) underpins its conviction to build a secure and trusted cyber environment by utilizing intelligence-driven technology and agile expertise that completely detects and defends against all nuances of digital crime. The platform proactively protects organizations’ critical infrastructure from sophisticated attacks while continuously analyzing potentially dangerous behavior all over their network.

The comprehensive suite includes the world’s most trusted Threat Intelligence, The most complete Fraud Protection, AI-powered Digital Risk Protection, Multi-layered protection with Managed Extended Detection and Response (XDR), All-infrastructure Business Email Protection, and External Attack Surface Management.

Furthermore, Group-IB’s full-cycle incident response and investigation capabilities have consistently elevated industry standards. This includes the 77,000+ hours of cybersecurity incident response completed by our sector-leading DFIR Laboratory, more than 1,400 successful investigations completed by the High-Tech Crime Investigations Department, and round-the-clock efforts of CERT-GIB.

Time and again, its solutions and services have been revered by leading advisory and analyst agencies such as Aite Novarica, Gartner®, Forrester, Frost & Sullivan, KuppingerCole Analysts AG, and more.

Being an active partner in global investigations, Group-IB collaborates with international law enforcement organizations such as INTERPOL, EUROPOL and AFRIPOL to create a safer cyberspace. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.