'Silence' Gang Tied to Bank Heist in Bangladesh - ReportGroup-IB Says Analysis of Malware Leads to Russian-Speaking Gang
A recent $3 million bank heist in Bangladesh is likely the handiwork of "Silence," a Russian-speaking gang known for its slow and methodical attacks against banks and ATMs, according to an analysis by security firm Group-IB.
In late May, Dutch Bangla Bank Ltd, along with at least two other local banks in Bangladesh, reportedly were targeted by attackers that used malware planted in ATMs to collect cash. Two of the banks claimed they stopped the heist before money was lost, but Dutch Bangla Bank appears to have lost as much as $3 million, according to local news reports (see: Investigators Probe Attacks on At Least 3 Bangladesh Banks).
In the Dutch Bangla Bank heist, hired "mules" were captured on closed circuit video making phone calls and cashing out the money from ATMs in Bangladesh.
The video of the men making phones calls after each withdrawal sparked the interest of Group-IB researchers, who investigated the malicious code used during the incident and now say they’ve tied the Dutch Bangla Bank robbery specifically to Silence.
Silence apparently is making good on its plans to move beyond Russia and other countries in Eastern Europe to more targets in Asia and Western Europe, Rustam Mirkasymov, head of the dynamic analysis department Group-IB, tells Information Security Media Group.
"This indicates that our forecast was correct: Having tested their tools and techniques in Russia and the CIS [post-Soviet republics], Silence has gained the confidence and skill necessary to be an international threat to international banks and corporations," Mirkasymov says. "Therefore, all financial organizations should be aware of this threat. To better prepare for Silence attacks internationally that are likely to occur in the near future, banks need to learn more about the gang's tactics, techniques and procedures and the infrastructure they use."
Grand Theft ATM
Researchers first became aware of Silence in 2016. The gang is primarily known for its ATM jackpotting or "cash out" schemes, which netted the group at least $800,000 over three years.
Over the past three years, Silence has started to change its techniques, including using communication protocols and obfuscating malware to avoid detection, according to Group-IB. The gang also has adjusted its infrastructure to make it more difficult for researchers to track it or tie it to specific attacks (see: 'Silence' Cybercrime Gang Targets Banks in More Regions).
While the details of the Dutch Bangla Bank robbery remain under investigation, it appears the attack started at least three months prior to the May 31 ATM withdrawal captured on video. In February, an IP address associated with the bank first started communicating with a command-and-control server controlled by Silence, Mirkasymov says.
The Group-IB researchers also found evidence that Silence was able to implant several Trojans within the bank's network, including Silence.Downloader and Silence.MainModule, which allowed the attackers to execute remote commands covertly and download files from a compromised server, according to the report.
The researchers also found evidence of Silence.ProxyBot, malware that executes the tasks of the proxy server and allows the attacker to redirect traffic from a hidden node to a back-connect server through a compromised PC.
Silence apparently did not customize these Trojans for this particular incident, Mirkasymov says. It's also not clear how the operation against the bank started.
"We assume that a phishing email could have been the initial vector of the attack," Mirkasymov says. "As we noted in our report, phishing emails with LNK files, CHM files and office documents with exploits or macros attached are actively used by the Silence gang."
Once the gang got inside the network and compromised servers, it could have compromised the bank's card processing system or it could have used customized Atmosphere software - a set of tools for ATM jackpotting, the Group-IB report says.
The video of the men taking money from the ATM and attempting to hide their faces helped tip Group-IB off that at least one of these robberies might have ties to an organized cyber gang.
In most cases, Silence and other crime groups hire these so-called money mules as third-party providers who don’t know with whom they are communicating, Mirkasymov says. In all likelihood, the men in the video are hired hands and not actual members of the Silence gang, he adds.
Local media reports identified the six men seen in the video as Ukrainian nationals, but it's not clear if any of them are under arrest or facing charges.
No Ties to Earlier Heist?
Although some local publications speculated that these recent bank incidents were related to the 2016 Bangladesh Bank heist, where hackers made off with $81 million, the Group-IB report claims that the Silence group is more than likely the main culprit.
In the case of the Bangladesh Bank robbery, a United Nation's Security Council report from earlier this year concluded that one of several threat groups associated with the North Korean government pulled off the robbery by targeting the bank's SWIFT system account at the Federal Reserve Bank in New York and then transferring funds to accounts in the Philippines, where the money was then laundered (see: UN Report: N. Korea Targets Cryptocurrency Exchanges, Banks).
The Group-IB report says that at least four targets in Asia, including the Dutch Bangla Bank, have recently been attacked by Silence.