Silent Night Trojan

Silent Night (also known as SILENT NIGHT or SilentNight Zbot) is a newly observed trojan and botnet family based on the Zloader malware. It is currently offered as-a-service through a number of primarily Russian-speaking dark web forums.

Threat ID:: CC-3471
Category:: Trojan
Threat Severity:: Medium
Threat Vector:: Exploit
Published:: 28 May 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions
Apple macOS - All versions
Linux - All major distributions

Threat details

At the time of publication, Silent Night has only been observed being delivered by the RIG exploit kit or as malicious Word documents in COVID-19 email spam campaigns. Both methods attempt to deliver an initial loader, which perform microarchitecture and anti-emulation checks before installing Silent Night.

Once installed, Silent Night will attempt to extract form entries, cookies, and credentials from Chromium, Firefox, and Internet Explorer browsers. It is also able to log keystrokes and mouse inputs, take screenshots, and perform web injects to hijack user sessions in order to redirect them to malicious sites. Collected information is encrypted and sent to a command and control server.

For further information:

The “Silent Night” Zloader/Zbot (Malwarebytes/HYAS, 2020)

Remediation steps

Type	Step
	To prevent and detect a trojan infection, NHS Digital advises that: Secure configurations are applied to all devices. Security updates are applied at the earliest opportunity. Tamper protection settings in security products are enabled where available. Obsolete platforms are segregated from the rest of the network. IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments. Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts. Administrative accounts are only used for necessary purposes. Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations. Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible. Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Type

Step

To prevent and detect a trojan infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Main indicators

Silent Night IoC List 28/05/2020

Last edited: 29 June 2021 12:01 pm