At least 10 financial institutions have been hit with a new strain of banking Trojan spread by an alleged Russian-speaking cybercrime group codenamed "Silence", research shows.
Analysis released Wednesday (1 November) by Kaspersky Lab said the cyber-criminals are using tactics similar to another gang – known as Carbanak – in a sophisticated plot to steal millions in cash.
The campaign remains ongoing and was spotted by analysts in September, the firm's report said.
Targets, which have not been named, were based in Russia, Armenia, and Malaysia and hit with emails laced with malware, a new Trojan experts also dub "Silence".
It remains unclear how much cash the hackers have hijacked so far – but Kaspersky Lab was able to monitor and track the group's espionage and spying tactics.
The report said the victims so far were "mostly Russian banks" but indicated that more may soon be hit.
The hackers were found to be taking advantage of "already compromised" banks to send booby-trapped emails from the addresses of real bank employees – increasing the chance they would be opened, Kaspersky Lab said.
The malicious attachments, when opened, would take just one click to download a payload onto the targeted machine. That would instantly send the ID of the compromised computer to the criminals' command and control (C&C) server and stealthily execute the Trojan.
Once infected, the hackers wait. They monitor day-to-day activity and examine the bank's network. Kaspersky said the team waits until the time is right to steal as much money as possible.
It helps that the malware can take screenshots and view video of real-time computer activity, which could easily expose secretive banking credentials and daily routines.
"The Silence Trojan is a fresh example of cybercriminals shifting from attacks on users to direct attacks on banks," said Sergey Lozhkin, security expert at Kaspersky Lab.
"We have seen this trend growing recently, as more and more slick and professional APT-style cyber-robberies emerge and succeed.
"The most worrying thing here is that due to their in-the-shadow approach, these attacks may succeed regardless of the peculiarities of each bank's security architecture."
In one major attack in February last year, alleged state-sponsored hackers were able to steal $81m (£56m) from the Bangladesh Central Bank by targeting the Swift transfer system.
In the case of the Silence group, Kaspersky said evidence points to the attackers being Russian-speaking. But as with every investigation, concrete attribution remains murky.
In the majority of cases, but not all, Russian cybercriminals do not attack domestic targets.
"Attacks on financial organisations remain a very effective way for cybercriminals to make money," the Kaspersky Lab report concluded.
"The analysis of this case provides us with a new Trojan, apparently being used in multiple international locations, which suggests it is an expanding activity of the group.
"The Trojan provides monitoring capabilities similar to the ones used by the Carbanak group.
"The spear-phishing infection vector is still the most popular way to initiate targeted campaigns. When used with already compromised infrastructure, and combined with .chm attachments, it seems to be a really effective way of spreading, at least among financial organisations."
A .chm attachment is an extension which stands for "compiled HTML."
The Carbanak group was exposed by Kaspersky Lab in 2015. One report claimed the notorious hacking unit was able to steal up to $1bn from more than 100 banks around the globe.
Dedicated research into its sophisticated hacking tools remains ongoing to this day.