Group-IB, a Singapore-based cybersecurity company that specializes in preventing cyberattacks, has detected successful attacks in Western Europe carried out in late January 2020. At least two companies operating in pharmaceutical and manufacturing sectors have been affected. Group-IB has immediately contacted the victims upon discovery. The tools used in the attacks were traced to Silence and TA505 — Russian-speaking financially-motivated groups.
According to industry researchers, TA505 is known to have carried out attacks on banks, medical institutions retailers and other businesses in the past. At the same time, banks and financial organizations have long been the only targets of Silence. If the latter are the ones to blame, this marks the first time the gang has launched the attacks against pharmaceutical and manufacturing companies and may indicate a significant shift in their modus operandi.
The malware samples used in the European attacks showed up on VirusTotal on February 2 and have been classified as Silence.ProxyBot (MD5: ce04972114bbd5844aa2f63d83cdd333) and 2 upgraded versions of Silence.MainModule (363df0b3c8b7b390573d3a9f09953feb & 800060b75675493f2df6d9e0f81474fd). During the analysis of these samples Group-IB Threat Hunting Intelligence team has identified at least two affected companies from Belgium and Germany. The victims have been notified by Group-IB and provided with all the information to stop the incidents. In addition to the victims, Group-IB experts have managed to establish the CnCs used during the attacks 195.123.246[.]126 and 37.120.145[.]253. The former has been active since late January 2020. Further analysis of cybercriminals’ infrastructure revealed two other executables had likely been deployed during the European campaign: an LPE exploit for for CVE-2019-1405 and CVE-2019-1322 (comahawk.exe) and a Meterpreter stager TinyMet. It’s important to note that TinyMet was compressed using a packer developed by TA505 — a longtime friend of Silence in the business.
The alleged connection between Silence and TA505 was described in Group-IB’s recent report “Silence 2.0: Going Global” for the first time. FlawedAmmyy, a RAT that provides full access to infected machines, is reported to have been used in some of TA505 recent attacks. Group-IB researchers carried out comparative analysis of Silence.Downloader and FlawedAmmyy.Downloader which revealed that these programs were likely developed by the same person — a Russian speaker who is active on underground forums. In late 2019, Group-IB’s DFIR specialists were called in to address Silence’s attack in Europe which was also carried out with the help of TA505: the latter likely provided access to the compromised bank’s network to the Silence gang. The latest Group-IB’s findings confirm the connection between the two threat actors.
Rustam Mirkasymov
Head of Dynamic Malware Analysis Department at Group-IB
According to Group-IB’s «Silence 2.0: Going Global» report, issued in August, Silence significantly expanded their geography and increased the frequency of their attacks. The total confirmed amount of funds stolen by Silence has increased fivefold since the publication of Group-IB’s original report on Silence, and is now estimated at USD 4.2 million. Group-IB’s Threat Intelligence team established that Silence has made a number of changes to its TTPs and enhanced its arsenal. Given that the gang represents a growing threat, both of Group-IB’s reports on Silence — («Silence: Moving into the darkside» and its sequel, «Silence 2.0: Going Global») — have been made publicly available to help cybersecurity specialists with proper attribution and prevention of new incidents.