Kaspersky Lab experts recorded a wave of targeted attacks to large banks of several countries in tropical Africa.
From the first days of January, researchers have observed thousands of attempts to launch a malware, including a module that takes screenshots of infected computers. The tools used suggest that the Russian-speaking group Silence is behind the attack.
The hacker group Silence has been very active since the end of 2017, mostly their victims are financial organizations around the world. A typical attack scenario starts with phishing emails with malicious attachments. Often, attackers use the infrastructure of already infected organizations and send messages on behalf of real employees. If the recipient opens the attachment, his computer is subjected to an attempt to infect several Trojan modules at once, whose ultimate goal is to collect information about the device and send it to the managing server. One of the main modules takes screenshots of an infected computer.
Attackers also use legitimate administrative tools to go unnoticed for a long time. Having penetrated the corporate network, attackers study the infrastructure and internal processes, after which they steal money, for example, through ATMs. On average, attackers try to withdraw about a million dollars from each organization.
Based on the data on Silence activity in several African countries recorded by Kaspersky Lab, it can be assumed that attackers have already penetrated the internal network of organizations and now the attacks are in their final stages.
“From the first days of 2020, Kaspersky Lab solutions have recorded thousands of notifications of attacks on banking infrastructure in Africa every day. Previously, attackers focused on organizations in Eastern Europe, the Asia-Pacific region and Latin America, since the end of 2019 their focus has shifted, which indicates a rapid expansion of the geography of attacks, says Sergey Golovanov, a leading antivirus expert at Kaspersky Lab. “Silence’s main goal is to steal money, but during the attack they gain access to a large amount of confidential data that they can use in the future, so we strongly recommend that banks take all the necessary cyber security measures.”
In turn, the specialists of Group-IB they writethat in the summer of 2019, company experts recorded attacks on banks in Chile, Costa Rica, Ghana, Bulgaria and Bangladesh. All banks were promptly notified, but in several cases, the victims failed to adequately respond to the threat. This is exactly what happened with Dutch-Bangla, a bank from Bangladesh.
After several thefts, it was still possible to detain six Ukrainian citizens hired by the Silence group to withdraw money. Having studied the attacks, the experts came to the conclusion that they used a new unique tool called EDA and the ATM Trojan xfs-disp.exe, previously used by Silence in the attack on the Omsk IT bank. And the primary infection is carried out using the ServHelper backdoor tool. According to some reports, the primary attacks were carried out by another hacker group TA505, which then resold access to banks of interest to Silence hackers. But to confirm involvement in the TA505 attacks at the moment is not possible.
“In November 2019, the Threat Intelligence Group-IB system recorded the activity of the hacker group Silence in Senegal (Africa), which used the same tools, as well as a new version of the proprietary Trojan – XDA. All interaction between the backend and the compromised infrastructure should be carried out through DNS queries, ”said Rustam Mirkasymov, head of the Group-IB dynamic code analysis malware department.“ At the same time, TA505 has been very active in attacking African banks and financial institutions since the end of 2018. , and their activity in the region at the end of 2019 reached a peak. All of this suggests that Silence will increase its presence in the region. "