Researchers from Kaspersky Lab have reported thousands of notifications of attacks on major banks in Sub-Saharan Africa.
The malware used in the attacks indicates the threat actor is most likely to be the notorious Silence hacking group, infamous for the theft of millions of dollars from banks around the world.
The attacks have been attributed to this group because the malware used in this latest incident was previously used solely in its operations. Moreover, the malware is in Russian, although the threat actor attempted to slightly cover this fact by typing Russian words using the English keyboard layout.
The Silence group is one of the most active advanced persistent threat actors. Its modus operandi consists of a social engineering scheme, through a phishing e-mail that contains malware sent to a bank employee.
Following this, the malware gets inside the bank's security perimeter and lays low for a while, performing reconnaissance on the target organisation by capturing screenshots and making video recordings of the daily activity on the infected device, learning how things work within the organisation. Once the bad actors are ready to take action, they activate all capabilities of the malware and cash out using, for example, ATMs. The score sometimes reaches millions of dollars.
The first attacks were detected in the first week of January and indicated the threat actor is about to begin the final stage of operation and cash out the funds. The attacks are ongoing and persist in targeting large banks in several Sub-Saharan Africa countries.
Sergey Golovanov, security researcher at Kaspersky, says the Silence group has been active over the past few years, and lives up to its name.
“Their operations require an extensive period of silent monitoring, with rapid and coordinated thefts. We noticed a growing interest of this actor group in banking organisations in 2017, and since that time, the group would constantly develop, expanding to new regions and updating their social engineering scheme.”
Kaspersky detects the malware used in the operation as HEUR:Trojan.Win32.Generic, PDM:Exploit.Win32.Generic, and urges all banks to stay vigilant. Apart from large sums of money, Silence group also steals sensitive information as video record screen activity.
Share