Banks Targeted by the Silent Group, ONI Malware – Ransomware or Wiper & North Korea Steals Warship Blueprints


Banks Targeted by ‘Silent’ Trojan – An unknown hacking group that has been dubbed the ‘Silence Group’ has been leveraging techniques similar to those deployed by the infamous Carbanak hacking group. Breaking into financial institutions via spear phishing campaigns, they stay there, silent, watching and recording employees activities, exfiltrate the data which in turn is used to steal money. The Trojan that they deploy within the phishing emails is called the ‘Silence Trojan’ and the goal of the organisation is not to target the banks customers but rather the banks themselves. If a victim within the bank clicks on one of the malicious emails, it allows the malware to run a payload that prompts a series of downloads and executes a dropper, which communicates with a C&C server, which sends malicious modules to monitor the victim through screen recording, data upload, credential theft and remote access control. The group stay silent for long periods of time, monitoring day-to-day activities, examining the network and stealing enough data to compromise the banks procedures without being noticed. So far there does not seem to be any connection between the Silence Group and Carbanak, so whether this is a copycat attempt or a spin off group from Carbanak remains unknown. However, financial institutions need to become aware of this growing trend as recent examples (Carbanak & Odinaff) prove that this type of cyber robbery is successful, with attackers emerging unscathed and much, much richer.

ONI Ransomware or is that Wiper Malware? – Japanese companies have been under the onslaught of the ONI ransomware for the past month but what makes this an interesting case is that it highlights the blurring of the lines between ransomware and wiper malware. Cybereason analysed the computers infected with ONI and found that the victims had been targeted initially by a spear phishing campaign, which installs a Remote Access Trojan (RAT), called Ammy Admin. Whilst Ammy Admin is a legitimate application, it was being used for malicious causes in this case. Once the attackers had access to the network, they attempted to gain access to domain administrator accounts and servers and most likely then spent months exfiltrating data. However, when the attackers were finished ONI ransomware would come into play. As the attackers had access to the domain servers, they would utilize Group Policy Scripts to execute a batch file that cleaned up over 460 different event logs in order to cover their activities. This same script would also deploy the ONI ransomware on computers in order to encrypt files and to possibly further obfuscate the activities of the attackers. Interestingly, the attackers utilised two different types of ONI, one used to target non-critical computers, whilst the other called MBR-ONI because it encrypted the actual as it encrypted the actual file system and then replaced the MBR, or Master Boot Record, with a password protected lock screen that is displayed before Windows boots was utilised. So the question remains, ransomware of wiper? Were the attackers looking to make a bit more money after their initial attack or was ONI being used to cover their tracks?

North Korea Hacked Daewoo Shipbuilding – South Korea has accused North Korea of hacking into Daewoo Shipbuilding and Marine Engineering Co Ltd and stealing the blueprints for its warships. The hack was discovered by a division of South Korea’s Ministry of Defence in charge of investigating cybercrime but it is not known how sensitive or how highly classified the documents are. The hack has been attributed to North Korea due to it having all the hallmarks of similar past attacks that North Korea is thought to be behind. This attack follows on from last month’s claim from a South Korean lawmaker that the North had stolen gigabytes of classified military documents, including wartime plans from the South Korean Ministry of Defence.