Silent Night

The Silent Night is a banking Trojan based on the Keylogger Zeus. Its campaigns operate on a for-hire model, with threat actors using methods ranging from e-mail attachments to browser-based exploits for infecting their victims. Affected users should have a robust anti-malware product remove the Silent Night immediately, change all vulnerable passwords, and contact their bank for further recommendations on recovery procedures.

An Expensive Nighttime Quietude for More than One Party

The tale of the Keylogger Zeus is an epic in banking Trojan history that outlives its name in offspring, such as Gameover, Sphinx, Terdot, or the particularly new the Silent Night. The last Trojan in this list is making its name by being one of the most costly options on the black market for spyware hiring – justifying the price tag with what malware experts rate as being substantial upgrades to its structure and stealth characteristics. With attacks that are variable according to modules and extreme attention to code-hiding mechanisms, the Silent Night may remain 'the next big thing' on the banking Trojan marketplace for months to come.

Because of its use as a hired-to-third-parties program, the Silent Night's distribution model is nearly as flexible as its payload. Malware researchers confirm cases of browser vulnerability-abusers like the RIG Exploit Kit's performing drive-by-downloads for depositing the Silent Night, as well as multiple tactics revolving around phishing e-mail attachments. Although the Silent Night's version numbers show limited iteration, the Trojan carries with it advantages over the old version of Keylogger Zeus, demonstrating the programmer's experience.

The Silent Night compartmentalizes most of its attacks into separate modules, most of which concern themselves with collecting browser information. Through them, it can record in-browser keystrokes, collect form-entered data, take screenshots, collect cookies and establish a proxy server. Both the Silent Night's core and its modular elements also have complex layers of obfuscation that essentially 'morph' the code for preventing threat-detecting tools from identifying it. The latter is unusual for using a pre-compilation method, albeit one with a supposedly-static tool.

Clearing the Nightly Predators Off Your Bank Account

Some of the Silent Night's choices in structure and obfuscation suggest that the threat actor maintaining it, 'Axe' (also responsible for the lesser-known Axebot banking Trojan), is working off of Terdot as a template. However, these shared advantages don't weaken the Silent Night self-obfuscating capabilities. Like all good banking Trojans, it also hides from users through memory injection and other exploits that limit the visibility of its processes and files.

Users can monitor e-mail attachments and links for possible the Silent Night attacks, which may attach the Trojan to a message directly or use a delivery vehicle, such as a document-embedded Trojan dropper. Deactivating advanced content like macros, JavaScript, Flash, and Java also will prevent many vulnerabilities related to these campaigns from loading. Malware researchers also recommend staying up-to-date with security patches as an effective defense against most Exploit Kits.

Despite the variables of its business model, the Silent Night is consistent in targeting bank account-related data. Banking customers can protect themselves with fully-patched and reputable anti-malware services for removing the Silent Night before it exfiltrates passwords or other information.

Like Keylogger Zeus and Terdot, the Silent Night seems set for leaving a long-lasting mark on both the banking Trojan industry and its victims throughout the world. As threat actors like Axe entrench their software-based defenses, bank customers will find it ever more critical that they not be taken unawares by the latest Trojan evolution.