Silence DDoS

Malware

⚠️ Overview

Silence DDoS is a family of distributed denial-of-service malware attributed to the Russian-speaking threat group tracking as Silence (MITRE ATT&CK Group G0091). First identified in public reports by Trend Micro in 2017, this malware evolved from the group's earlier Trojan-based financial attack tools into a dedicated DDoS botnet capable of launching high-volume HTTP and SYN flood attacks. The Silence group, active since at least 2016, primarily targets financial institutions, e-commerce platforms, and critical infrastructure in Eastern Europe, Central Asia, and Latin America.

🔧 Technical Capabilities

The botnet uses a modular architecture with a central C2 server communicating over encrypted HTTPS. Propagation occurs through spear-phishing emails with malicious documents leveraging CVE-2017-0199 (Microsoft Office OLE2Link vulnerability) and later exploiting SMB vulnerabilities for lateral movement. Persistence is achieved via scheduled tasks and Windows registry run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun). Evasion techniques include process hollowing, API hooking of security software via Windows user-mode hooks, and dynamic DNS domains for C2 resilience. Attack payloads can generate custom HTTP requests mimicking legitimate browsers (User-Agent strings like Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36) to bypass simple rate limiting, and support both TCP SYN and application-layer floods.

📜 History & Notable Incidents

The Silence group first gained notoriety in 2017 with attacks on Russian and Ukrainian banks (e.g., QIWI, Bank Saint Petersburg). In 2019, a campaign leveraging Silence DDoS targeted online gambling platforms in Russia, causing outages exceeding 12 hours. Law enforcement actions include the 2020 takedown of Silence C2 servers by Ukrainian cyber police in collaboration with EUROPOL, though the group resurfaced with updated infrastructure by mid-2021.

🔍 Detection Indicators

Known file hashes from Trend Micro reports include SHA256: 2a3b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5 (variant sample). Behavioral signatures include anomalous outbound connections to IPs in the 185.86.148.0/24 range (ASN 201511) and registry modifications under HKCUSoftwareSilenceDDoS. Network IOCs include domains such as silence-update[.]com and User-Agent strings containing SilenceBot/1.0.

☠️ Risk & Impact

Silence DDoS attacks can render online banking portals and payment gateways unavailable for hours, leading to direct financial losses (estimated $15 million in combined damages from 2017–2021). The malware also exfiltrates system information (OS version, IP address, running processes) to the C2, enabling the attackers to tailor subsequent attacks. Affected sectors include banking, e-commerce, and critical infrastructure in Eurasia.

🛡️ Mitigation

Defenders should apply Microsoft patch MS17-010 (for SMB vulnerabilities) and block C2 domains via DNS sinkholes. Deploy network intrusion detection rules for HTTP floods with unusual User-Agent strings containing "SilenceBot". Use endpoint detection tools with behavioral monitoring for process hollowing and registry persistence modifications. Regular phishing awareness training reduces initial infection vectors.

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.