27 March 2020

Group-IB: new financially motivated attacks in Western Europe traced to Russian-speaking threat actors

Group-IB, a Singapore-based cybersecurity company that specializes in preventing cyberattacks, has detected successful attacks in Western Europe carried out in late January 2020. At least two companies operating in pharmaceutical and manufacturing sectors have been affected. Group-IB has immediately contacted the victims upon discovery. The tools used in the attacks were traced to Silence and TA505 — Russian-speaking financially-motivated groups.

According to industry researchers, TA505 is known to have carried out attacks on banks, medical institutions retailers and other businesses in the past. At the same time, banks and financial organizations have long been the only targets of Silence. If the latter are the ones to blame, this marks the first time the gang has launched the attacks against pharmaceutical and manufacturing companies and may indicate a significant shift in their modus operandi.

The malware samples used in the European attacks showed up on VirusTotal on February 2 and have been classified as Silence.ProxyBot (MD5: ce04972114bbd5844aa2f63d83cdd333) and 2 upgraded versions of Silence.MainModule (363df0b3c8b7b390573d3a9f09953feb & 800060b75675493f2df6d9e0f81474fd). During the analysis of these samples Group-IB Threat Hunting Intelligence team has identified at least two affected companies from Belgium and Germany. The victims have been notified by Group-IB and provided with all the information to stop the incidents. In addition to the victims, Group-IB experts have managed to establish the CnCs used during the attacks 195.123.246[.]126 and 37.120.145[.]253. The former has been active since late January 2020. Further analysis of cybercriminals’ infrastructure revealed two other executables had likely been deployed during the European campaign: an LPE exploit for for CVE-2019-1405 and CVE-2019-1322 (comahawk.exe) and a Meterpreter stager TinyMet. It’s important to note that TinyMet was compressed using a packer developed by TA505 — a longtime friend of Silence in the business.

The alleged connection between Silence and TA505 was described in Group-IB’s recent report “Silence 2.0: Going Global” for the first time. FlawedAmmyy, a RAT that provides full access to infected machines, is reported to have been used in some of TA505 recent attacks. Group-IB researchers carried out comparative analysis of Silence.Downloader and FlawedAmmyy.Downloader which revealed that these programs were likely developed by the same person — a Russian speaker who is active on underground forums. In late 2019, Group-IB’s DFIR specialists were called in to address Silence’s attack in Europe which was also carried out with the help of TA505: the latter likely provided access to the compromised bank’s network to the Silence gang. The latest Group-IB’s findings confirm the connection between the two threat actors.

While the extent of the damage caused is yet unknown, the choice of the targets, that are unorthodox for Silence, gives some basis to believe that this was either a ransomware attack or these companies were compromised as part of a complex supply-chain attack. Having analyzed the toolset used in the campaign we can assume with moderate confidence that Silence was behind the attacks. There is always a possibility that Silence’s tools could have been sold to another threat actor or borrowed by TA505, for example. Slight modifications of Silence.ProxyBot and Silence.MainModule can be explained by the gang’s attempts to avoid detection as a result of being in the spotlight of security researchers for some time now.

Rustam Mirkasymov

Rustam Mirkasymov

Head of Dynamic Malware Analysis Department at Group-IB

According to Group-IB’s «Silence 2.0: Going Global» report, issued in August, Silence significantly expanded their geography and increased the frequency of their attacks. The total confirmed amount of funds stolen by Silence has increased fivefold since the publication of Group-IB’s original report on Silence, and is now estimated at USD 4.2 million. Group-IB’s Threat Intelligence team established that Silence has made a number of changes to its TTPs and enhanced its arsenal. Given that the gang represents a growing threat, both of Group-IB’s reports on Silence — («Silence: Moving into the darkside» and its sequel, «Silence 2.0: Going Global») — have been made publicly available to help cybersecurity specialists with proper attribution and prevention of new incidents.

Group-IB is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigation of high-tech crimes and intellectual property protection, headquartered in Singapore. The company’s threat intelligence and research centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), Europe (Amsterdam), and Russia (Moscow).

Group-IB’s Threat Intelligence & Attribution system has been named one of the best in class by Gartner, Forrester, and IDC. Group-IB’s Threat Hunting Framework (earlier known as TDS) intended for the proactive search and the protection against complex and previously unknown cyberthreats has been recognized as one of the leaders in Network Detection and Response by the leading European analyst agency KuppingerCole Analysts AG, while Group-IB itself has been recognized as a Product Leader and Innovation Leader. Gartner identified Group-IB as a Representative Vendor in Online Fraud Detection for its Fraud Hunting Platform. In addition, Group-IB was granted Frost & Sullivan’s Innovation Excellence award for its Digital Risk Protection (DRP), an Al-driven platform for identifying and mitigating digital risks and counteracting brand impersonation attacks with the company’s patented technologies at its core.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 18 years of hands-on experience in cybercrime investigations worldwide and 70,000 hours of cybersecurity incident response accumulated in our leading forensic laboratory, high-tech crime investigations department, and round-the-clock CERT-GIB. Group-IB is a partner of Europol.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.

Report an incident

Get 24/7 incident response assistance from our global team

APAC: +65 3159-3798
Europe: +31 20 226-90-90
EMA: +971 4 508 1605

Thank you for filling out the form! We will get back to you shortly.

We use cookies on the website to make your browser experience more personal, convenient and secure. You may block or manage the use of cookies, however, in some cases they’re essential to make this site work properly. Learn more about cookies in Group-IB Privacy And Cookies Policy.

Report an incident