Description
[Silence](https://attack.mitre.org/groups/G0091) is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)
Techniques Used (TTPs)
- T1571 — Non-Standard Port (command-and-control)
- T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
- T1055 — Process Injection (defense-evasion, privilege-escalation)
- T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
- T1059.005 — Visual Basic (execution)
- T1112 — Modify Registry (defense-evasion, persistence)
- T1021.001 — Remote Desktop Protocol (lateral-movement)
- T1125 — Video Capture (collection)
- T1059.007 — JavaScript (execution)
- T1218.001 — Compiled HTML File (defense-evasion)
- T1072 — Software Deployment Tools (execution, lateral-movement)
- T1113 — Screen Capture (collection)
- T1027.010 — Command Obfuscation (defense-evasion)
- T1569.002 — Service Execution (execution)
- T1090.002 — External Proxy (command-and-control)
- T1553.002 — Code Signing (defense-evasion)
- T1105 — Ingress Tool Transfer (command-and-control)
- T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
- T1018 — Remote System Discovery (discovery)
- T1003.001 — LSASS Memory (credential-access)
- T1059.001 — PowerShell (execution)
- T1588.002 — Tool (resource-development)
- T1070.004 — File Deletion (defense-evasion)
- T1566.001 — Spearphishing Attachment (initial-access)
- T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
- T1204.002 — Malicious File (execution)
- T1059.003 — Windows Command Shell (execution)
- T1106 — Native API (execution)
Total TTPs: 28