Adversary Playbook: The FortiGuard SE Team is releasing this new playbook on the threat actor group known as Silence Group as part of our role in the Cyber Threat Alliance. For more information regarding this series of adversary playbooks being created by CTA members, please visit the Cyber Threat Alliance Playbook Whitepaper.
Active since 2016, Silence Group is a cybercriminal organization that targets banks, specifically stealing information used in the payment card industry. There has been ample coverage [1] [2] of this group over the years that highlights their TTPs (Techniques, Tactics, and Procedures) [3]. The aim of this playbook is to provide first responders with relevant, up-to-date analysis, samples, and indicators of compromise which should help security professionals better protect their infrastructures.
Overview
The modus operandi of the Silence Group is simple. It is to make as much money as possible by compromising targets, in this case banks, via a spear phishing strategy, which will then lead to exfiltrating financial data as well as also allow the attackers to “Jackpot” ATMs to withdraw money.
To achieve these goals, the Silence Group is known to utilize publicly available tools that they repurpose, as well as use a technique that the cybersecurity industry refers to as “living off the land.”
What this essentially means is that they attempt to operate as long as possible using the preexisting tools or commands built into the operating system of their target to effectively maximize the time they are able to spend within the target environment. This strategy has two benefits: first, using locally available tools helps them better evade detection, and second, it helps them establish a deeper and stronger foothold.
However, the group does not exclusively rely on publicly available tools. They are also known to write their own sets of modular, custom tools. As the motivations and various TTPs of their living-off-the-land strategy have been documented previously, this blog will focus on the details of those custom tools developed exclusively by this group.
Full Article.
