Trellix Insights: Silence 2.0 going global
Technical Articles ID:
KB92423
Last Modified: 2022-08-10 19:54:17 Etc/GMT
Last Modified: 2022-08-10 19:54:17 Etc/GMT
Environment
IMPORTANT: This Knowledge Base article discusses a specific threat that is being automatically tracked by Trellix Insights technology. The content is intended for use by Trellix Insights users, but is provided for general knowledge to all customers. Contact us for more information about Trellix Insights.
Summary
Description of Campaign:
Silence is a Russian language-based APT group that targets victims in the financial sector. Silence conducts reconnaissance-based email campaigns to build its victim target list. The group's phishing campaigns use office documents with malicious macros, chm files, and .LNK files. The group’s most recent victims include Banks in Bulgaria, Chile, Costa Rica, Ghana, India, and Russia.
How to use this article:
Campaign IOC:
Minimum Content Versions:
Detection Summary:
Minimum set of Manual Rules to improve protection to block this campaign
IMPORTANT: When you implement new rules or signatures, always first set them to Report mode before setting them to Block.
Mitigate against triggering false positives when enabling new rules and signatures by always following best practices. For best practices for Endpoint Security Dynamic Application Containment rules, see: KB87843 - Dynamic Application Containment rules and best practices.
Endpoint Security - Advanced Threat Protection:Rule ID: 2 Use Enterprise file reputation to identify trusted or malicious files
Rule ID: 208 Identify suspicious files executing from the roaming folder
Rule ID: 322 Prevent mshta from being launched by any process for all rule group Assignments
Rule ID: 239 Identify suspicious command parameter execution
Endpoint Security - Exploit Prevention:Rule ID: 8003 Fileless Threat: Suspicious PowerShell Behavior Detected
Host Intrusion Prevention:Rule ID: 8003 Fileless Threat: Suspicious PowerShell Behavior Detected
Rule ID: 1003 Windows Agent Shielding - Process Access
Endpoint Security - Exploit Prevention:Rule ID: 2844 Microsoft Word WordPerfect5 Converter Module Buffer Overflow Vulnerability
Endpoint Security - Access Protection Custom Rules:Rule: 1
Executables (Include): winword.exe
Subrules:
Subrule Type: Files
Operations: Create
Targets (Include):?:\users\*\appdata\local\temp\*.chm
Rule: 2
Executables (Include): *
Subrules:
Subrule Type: Registry key
Operations: Create
Targets (Include): */system/currentcontrolset/services/microsoftservice
Rule: 3
Executables (Include): hh.exe
Subrules:
Subrule Type: Files
Operations: Execute
Targets (Include):?:\windows\system32\*
Rule: 4
Executables (Include): hh.exe
Subrules:
Subrule Type: Files
Operations: Create
Targets (Include):
?:\users\*\appdata\roaming\microsoft\*\*.dat
?:\users\*\appdata\local\temp\*.tmp
Rule: 5
Executables (Include): mshta.exe
Subrules:
Subrule Type: Files
Operations: Execute
Targets (Include):ping.exe
Rule: 6
Executables (Include): *
Subrules:
Subrule Type: Files
Operations: Create
Targets (Include): xfsasdf.txt
Rule: 7
Executables (Include): eqnedt32.exe
Subrules:
Subrule Type: Files
Operations: Execute
Targets (Include):mshta.exe
VirusScan Enterprise - Access Protection Custom Rules:Rule: 1
Rule Type: File
Process to include: winword.exe
File or folder name to block:*\users\*\appdata\local\temp\*.chm File
Actions to prevent: Create
Rule: 2
Rule Type: File
Process to include: hh.exe
File or folder name to block:*\windows\system32\*
File actions to prevent: Terminate
Rule: 3
Rule Type: File
Process to include:hh.exe
File or folder name to block:*\users\*\appdata\local\temp\*.tmp
File actions to prevent: Create
Rule: 4
Rule Type: File
Process to include:hh.exe
File or folder name to block:*\users\*\appdata\roaming\microsoft\*\*.dat
File actions to prevent: Create
Rule: 5
Rule Type: File
Process to include: *
File or folder name to block:xfsasdf.txt
File actions to prevent: Create
Rule: 6
Rule Type:
File Process to include:eqnedt32.exe
File or folder name to block:mshta.exe
File actions to prevent: Terminate
Virusscan Enterprise - Access Protection Rules:
Aggressive set of Manual Rules to improve protection to block this campaign
IMPORTANT: When you implement new rules or signatures, always first set them to Report mode before setting them to Block.
Mitigate against triggering false positives when enabling new rules and signatures by always following best practices. For best practices for Endpoint Security Dynamic Application Containment rules, see: KB87843 - Dynamic Application Containment rules and best practices.
Virusscan Enterprise - Access Protection Rules:
Host Intrusion Prevention:Rule ID: 6010 Generic Application Hooking Protection
Rule ID: 6081 PowerShell Command Restriction - NoProfile
Rule ID: 1020 Windows Agent Shielding - File Access
Rule ID: 6085 PowerShell Command Restriction - File
Rule ID: 6082 PowerShell Command Restriction - ExecutionPolicy Unrestricted
Rule ID: 1148 CMD Tool Access by a Network Aware Application
Silence is a Russian language-based APT group that targets victims in the financial sector. Silence conducts reconnaissance-based email campaigns to build its victim target list. The group's phishing campaigns use office documents with malicious macros, chm files, and .LNK files. The group’s most recent victims include Banks in Bulgaria, Chile, Costa Rica, Ghana, India, and Russia.
How to use this article:
- If a Threat Hunting table has been created, use the rules contained to search for malware related to this campaign.
- Review the product detection table and confirm that your environment is at least on the specified content version.
To download the latest content versions, go to the Security Updates page. - Scroll down and review the "Product Countermeasures" section of this article. Consider implementing them if they are not already in place.
- Review
KB91836 - Countermeasures for entry vector threats . - Review KB87843 - Dynamic Application Containment rules and best practices.
- Review KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event.
Campaign IOC:
Type | Value |
Minimum Content Versions:
Content Type | Version |
Detection Summary:
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
Minimum set of Manual Rules to improve protection to block this campaign
IMPORTANT: When you implement new rules or signatures, always first set them to Report mode before setting them to Block.
Mitigate against triggering false positives when enabling new rules and signatures by always following best practices. For best practices for Endpoint Security Dynamic Application Containment rules, see: KB87843 - Dynamic Application Containment rules and best practices.
Endpoint Security - Advanced Threat Protection:
Rule ID: 208 Identify suspicious files executing from the roaming folder
Rule ID: 322 Prevent
Rule ID: 239 Identify suspicious command parameter execution
Endpoint Security - Exploit Prevention:
Host Intrusion Prevention:
Rule ID: 1003 Windows Agent Shielding - Process Access
Endpoint Security - Exploit Prevention:
Endpoint Security - Access Protection Custom Rules:
Executables (Include):
Subrules:
Subrule Type: Files
Operations: Create
Targets (Include):
Executables (Include): *
Subrules:
Subrule Type: Registry key
Operations: Create
Targets (Include):
Executables (Include):
Subrules:
Subrule Type: Files
Operations: Execute
Targets (Include):
Executables (Include):
Subrules:
Subrule Type: Files
Operations: Create
Targets (Include):
?:\users\*\appdata\local\temp\*.tmp
Executables (Include):
Subrules:
Subrule Type: Files
Operations: Execute
Targets (Include):
Executables (Include): *
Subrules:
Subrule Type: Files
Operations: Create
Targets (Include):
Executables (Include):
Subrules:
Subrule Type: Files
Operations: Execute
Targets (Include):
VirusScan Enterprise - Access Protection Custom Rules:
Rule Type: File
Process to include:
File or folder name to block:
Actions to prevent: Create
Rule Type: File
Process to include:
File or folder name to block:
File actions to prevent: Terminate
Rule: 3
Rule Type: File
Process to include:
File or folder name to block:
File actions to prevent: Create
Rule: 4
Rule Type: File
Process to include:
File or folder name to block:
File actions to prevent: Create
Rule: 5
Rule Type: File
Process to include: *
File or folder name to block:
File actions to prevent: Create
Rule: 6
Rule Type:
File Process to include:
File or folder name to block:
File actions to prevent: Terminate
Virusscan Enterprise - Access Protection Rules:
Protect Internet Explorer favorites and settings
Aggressive set of Manual Rules to improve protection to block this campaign
IMPORTANT: When you implement new rules or signatures, always first set them to Report mode before setting them to Block.
Mitigate against triggering false positives when enabling new rules and signatures by always following best practices. For best practices for Endpoint Security Dynamic Application Containment rules, see: KB87843 - Dynamic Application Containment rules and best practices.
Virusscan Enterprise - Access Protection Rules:
Prevent programs registering as a service
Host Intrusion Prevention:
Rule ID: 6081 PowerShell Command Restriction - NoProfile
Rule ID: 1020 Windows Agent Shielding - File Access
Rule ID: 6085 PowerShell Command Restriction - File
Rule ID: 6082 PowerShell Command Restriction - ExecutionPolicy Unrestricted
Rule ID: 1148 CMD Tool Access by a Network Aware Application