Tracking the 400 mil shillings AFT – SilentCards big come back.

Summary

Our CNO team that is selectively tasked with offensive operations to gather CTI, for our customers so as to arm them with the most accurate intelligence, stumbled on a server, early 2018, that was used for a larger heist late last year, where the actor made 400,000,000 + KSHs payday. Due to the fact the institution is not our client and has not directly or indirectly contacted us for approval to post this blog and the laws of Kenya do not agree we do so, we can’t name the affected institution, rather we can provide details of how such a heist occurs according to our research, observations and intel collection.



Threat Intelligence

SilentsCards threat actor is a home grown AFT and is an offshoot of Forkbombo Group. They started their robberies late 2017 and have been heisting organizations with lots of millions lost for the last one year. This group inherited the old version key logger used by Forkbombo and perfected it for collection of key logger data in a targeted environment.

The latest code used in several banks, after reversing has the main Def as OnKeyBoardEvent() and the file is usually saved up as tech_kg.py.

def OnKeyboardEvent(event):
    global LOG_NEWACTIVE, LOG_ACTIVE, LOG_TEXT,FILE_NAME,MAIL_SENT
    LOG_NEWACTIVE=''
    wg=win32gui
    LOG_NEWACTIVE = wg.GetWindowText (wg.GetForegroundWindow())
    if LOG_NEWACTIVE != LOG_ACTIVE:
        #----------
        LOG_TEXT += " " + LOG_NEWACTIVE + " |\n"
        LOG_TEXT += "=" * len(LOG_NEWACTIVE) + "===\n\n"
        #-----------
        LOG_ACTIVE = LOG_NEWACTIVE
        print LOG_NEWACTIVE

The second part specifies where the files logged are written into, by default SilentCards saves them in UserProfile as seen below with tar.gz as an extension to fool inexperienced analysts.

LOG_NEWACTIVE=''
LOG_ACTIVE=''
LOG_TEXT=''
now = datetime.datetime.now()
COMPUTER_NAME= socket.gethostname()+" "+ socket.gethostbyname(socket.gethostname()) + ": "
LOGGED_IN=os.getenv('USERNAME')
PATH_FILE=os.getenv('UserProfile')
FILE_NAME=str(PATH_FILE)+"\\"+LOGGED_IN+'.tar.gz'

By default, you will find these outputs in the home directory of the user who is logged, which by default happens when the users gets into their system after logging in.

The logger PE is usually copied and saved into Startup folder which is an older TTP, that ForkBombo group used back in 2015-2017 and then abandoned and started using Scheduled-tasks, Registry and Drivers for persistence.

SilentCards still saves them in startup directory as :

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\PE.File.Executable

In short, SilentCards have not improved their operations to try defend their tactics in the long run, but there is a time, our Defenders ended up in a fire fight with SilentCards, as they tried to defend a module they used for CnC during a Breach Readiness service.

SilentCards are known to use AnyDesk for Remote Administration, they are known to use GoToMyPc since 2015, and with collaboration with PsExec, they can laterally move through the ICT Workstations deploying key logger and through the DataCenters dumping passwords and other essential access tokens with use of an open source tool called mimikatz.

Our CNO team observed as they collected Windows creds, and later targeted Card Center servers, by either looking for the server owners and collecting their SSHD credentials. By default most organizations usually have default passwords they set up for users, and on this bank they used three different default passwords.

a) admin123

b) welcome1

c) secret123

SilentCards was also interested on the initial entry to get into a box called Polarisprapp01 and Eqc-VC01. Using these two servers, just like their sister threat actor, Forkbombo group, they started coping all Audit Reports generated by the institutions from the auditors workstations for further review of the institutions situation awareness and Risk Analysis and copied them via Eqc-VC01 an internal server, to a C2 server overseas.

After collecting as many credentials as they could, 400 Million Kenya Shillings was moved in batches, crediting fictitious accounts, then accessed either via VISA/MASTERCARD overseas or with use of Mobile Money Transfers. Unlike Forkbombo which has several money mules, SilentCards relies a lot on foreigners for quick transactions outside the country.

Outlook on SilentCards

We believe this threat actor is still active in different infrastructures and is planning to attack another institution this Easter by running huge transactions. By raising community awareness, we intend to minimize damage and loss to your customers and to ours by maiming their activities and capabilities when exploiting infrastructures across East Africa.

Leave a Reply

Your email address will not be published. Required fields are marked *