27 March 2020

Group-IB: new financially motivated attacks in Western Europe traced to Russian-speaking threat actors

Group-IB, a Singapore-based cybersecurity company that specializes in preventing cyberattacks, has detected successful attacks in Western Europe carried out in late January 2020. At least two companies operating in pharmaceutical and manufacturing sectors have been affected. Group-IB has immediately contacted the victims upon discovery. The tools used in the attacks were traced to Silence and TA505 — Russian-speaking financially-motivated groups.

According to industry researchers, TA505 is known to have carried out attacks on banks, medical institutions retailers and other businesses in the past. At the same time, banks and financial organizations have long been the only targets of Silence. If the latter are the ones to blame, this marks the first time the gang has launched the attacks against pharmaceutical and manufacturing companies and may indicate a significant shift in their modus operandi.

The malware samples used in the European attacks showed up on VirusTotal on February 2 and have been classified as Silence.ProxyBot (MD5: ce04972114bbd5844aa2f63d83cdd333) and 2 upgraded versions of Silence.MainModule (363df0b3c8b7b390573d3a9f09953feb & 800060b75675493f2df6d9e0f81474fd). During the analysis of these samples Group-IB Threat Hunting Intelligence team has identified at least two affected companies from Belgium and Germany. The victims have been notified by Group-IB and provided with all the information to stop the incidents. In addition to the victims, Group-IB experts have managed to establish the CnCs used during the attacks 195.123.246[.]126 and 37.120.145[.]253. The former has been active since late January 2020. Further analysis of cybercriminals’ infrastructure revealed two other executables had likely been deployed during the European campaign: an LPE exploit for for CVE-2019-1405 and CVE-2019-1322 (comahawk.exe) and a Meterpreter stager TinyMet. It’s important to note that TinyMet was compressed using a packer developed by TA505 — a longtime friend of Silence in the business.

The alleged connection between Silence and TA505 was described in Group-IB’s recent report “Silence 2.0: Going Global” for the first time. FlawedAmmyy, a RAT that provides full access to infected machines, is reported to have been used in some of TA505 recent attacks. Group-IB researchers carried out comparative analysis of Silence.Downloader and FlawedAmmyy.Downloader which revealed that these programs were likely developed by the same person — a Russian speaker who is active on underground forums. In late 2019, Group-IB’s DFIR specialists were called in to address Silence’s attack in Europe which was also carried out with the help of TA505: the latter likely provided access to the compromised bank’s network to the Silence gang. The latest Group-IB’s findings confirm the connection between the two threat actors.

While the extent of the damage caused is yet unknown, the choice of the targets, that are unorthodox for Silence, gives some basis to believe that this was either a ransomware attack or these companies were compromised as part of a complex supply-chain attack. Having analyzed the toolset used in the campaign we can assume with moderate confidence that Silence was behind the attacks. There is always a possibility that Silence’s tools could have been sold to another threat actor or borrowed by TA505, for example. Slight modifications of Silence.ProxyBot and Silence.MainModule can be explained by the gang’s attempts to avoid detection as a result of being in the spotlight of security researchers for some time now.

Rustam Mirkasymov

Rustam Mirkasymov

Head of Dynamic Malware Analysis Department at Group-IB

According to Group-IB’s «Silence 2.0: Going Global» report, issued in August, Silence significantly expanded their geography and increased the frequency of their attacks. The total confirmed amount of funds stolen by Silence has increased fivefold since the publication of Group-IB’s original report on Silence, and is now estimated at USD 4.2 million. Group-IB’s Threat Intelligence team established that Silence has made a number of changes to its TTPs and enhanced its arsenal. Given that the gang represents a growing threat, both of Group-IB’s reports on Silence — («Silence: Moving into the darkside» and its sequel, «Silence 2.0: Going Global») — have been made publicly available to help cybersecurity specialists with proper attribution and prevention of new incidents.

Group-IB is one of the leading providers of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection. Group-IB Threat Intelligence system was named one of the best in class by Gartner, Forrester, and IDC.

Group-IB’s technological leadership is built on the company’s 17 years of experience in cybercrime investigations worldwide and 60,000 hours of incident response accumulated in our leading forensic laboratory and 24/7 CERT-GIB.

Group-IB is a partner of INTERPOL, Europol, and a cybersecurity solutions provider, recommended by SWIFT and OSCE. Group-IB is a member of the World Economic Forum.

Report an incident

24/7 Incident Response Assistance +65 3159-4398

Thank you for the inquiry! We will contact you soon.
Cookies

We use cookies on the website to make your browser experience more personal, convenient and secure. You may block or manage the use of cookies, however, in some cases they’re essential to make this site work properly. Learn more about cookies in Group-IB Privacy And Cookies Policy.

 
Report an incident