A group of hackers named ‘Silence’ from Russia stole $3 million from the Dutch Bangla bank in Bangladesh using ATMs in May 2019.

A report from Group-IB, an international company that specializes in preventing cyber attacks, represented that the Silence group is active since 2016 and previously attacked banks in Russia, former Soviet states, and Eastern Europe.  Now, they are targeting Asian countries like Bangladesh,  India, Shri Lanka, and Kyrgyzstan.  Bangladesh’s bank Dutch Bangla became the victim of Silence group attack in Asia by losing $3 million according to local media.

It’s said that the hacker group appears to have deployed a malicious code, named Silence malware, on the bank’s network to run malicious commands on hosts and allegedly used the access to orchestrate fund withdrawals from the bank’s ATMs, according to the security researcher Rustam Mirkasymov at Group-IB.

The final stage of the brash cyber attack, which started months earlier, took place in Dhaka on May 31, 2019, according to the local media reports. In CCTV footage posted by local newspapers, two Ukrainian mules with their faces covered are seen withdrawing money from Dutch-Bangla Bank’s ATMs. They made phone calls every time before withdrawing money, which immediately prompted Group-IB’s Threat intelligence team’s interest and indicated that this could likely be involvement of an organized financially-motivated cybercriminal group rather than simply skimming attack. At the time, Group-IB Threat Intelligence team was already aware that Silence had been carrying out operations in Asia.

Group-IB has been tracking Silence and their structure since 2016 and found that Dutch Bangla Bank’s hosts with external IPs 103.11.138.47 and 103.11.138.198 were communicating with Silence’s C&C (185.20.187.89) since at least February 2019.

During the attack on Dutch-Bangla Bank, the cybercriminals have likely used the following Trojans — Silence.Downloader(aka TrueBot), Silence.MainModule (MD5 fd133e977471a76de8a22ccb0d9815b2) which allows to execute remote commands covertly and download files from the compromised server, and Silence.ProxyBot (MD5 2fe01a04d6beef14555b2cf9a717615c), which executes the tasks of the proxy server and allows the attacker to redirect traffic from a hidden node to a back-connect server via the compromised PC.

Once they gained access to the bank’s infrastructure, Silence went on to the next stage of the attack — money withdrawal. One of the instances was shown on the CCTV from May 31 published by the local media. Based on the TTPs used by Silence, the money could have been stolen in one of two ways: the hackers could have either compromised the bank’s card processing system or used the custom Atmosphere software, a set of tools for ATMs jackpotting.

The two other banks of Bangladesh named NCC Bank and Prime Bank were also faced cyber attacks same way of Dutch Bangla Bank, but they claimed they were able to avert financial losses. But, it is not confirmed that the Silence group is behind this.

For any Cyber Security information contact help@theweborion.com