A new banking malware, called Silent Night, is affecting the emails of thousands of users, especially people in distress from the COVID-19 pandemic, as reported by an analysis of IBM and FireEye from March 2020. The malware first made its appearance late last year and, at the moment, it appears to be affecting mainly the citizens of the United States, Canada and Australia, but cWith the outbreak of the pandemic, phishing campaigns have increased exponentially almost everywhere and, according to the US government, the number of emails delivered will tend to increase significantly in the near future.
Malware has a rather complex structure, but the way in which its developers propose it on the illegal market is striking. Indeed Silent Night is offered as Maas (Malware-as-a-Service), a low cost solution (by industry standards at least), which allows not particularly expert attackers to be immediately operational and have an efficient platform that avoids problems of any kind, guaranteeing constant revenue.
A peculiarity of the new banking Trojan concerns the obfuscator, designed specifically for the new malware, capable of encrypting all strings and constant values, modifying the entire code and thus generating a new one with each use. The resulting output is an extremely confusing code with no significant impact on performance, impossible to identify because any type of digital signature can be “deleted with a click”.
Otherwise, malware works like all other high phishing campaigns: lie victim receives an email with a file Word (or more recently Excel or a VBS script) attached which is described as a form to be filled in for the payment of a state contribution. Once the file is opened, an instance is executed that downloads the Silent Night bot from a C2 server or from a local file and injects it into the instance in question. At this point, the attacker can execute commands directly remotely, leaving the victim unaware, by extracting sensitive bank data, such as bank account number, IBAN or password in case of access to the site of the bank by the victim, as well as having a feature that allows him to extract files, different passwords and cookies directly remotely.
The advice is therefore always the same: be extremely cautious and use common sense, not rushing to open any email and download or execute any attachment, especially if you have not made any questions or purchases. Instead, always carefully check the origin of the email, the language used and, above all, the addresses. In fact, just hover the mouse over a link, without clicking, to display the corresponding address, which will remember the real one that it proposes to imitate, but to which it will inevitably add foreign parts, which direct to specific servers.