The Silence crew is making a lot more noise. The Russian-speaking hacking group, which specialises in stealing from banks, has been spreading its coverage and becoming more sophisticated, according to a new report from cybersecurity company Group-IB.

It follows a report from the company last year which was the first to identify and analyse the Silence group. You can find both reports here.

Group-IB characterises Silence as a young and relatively immature hacking group that draws on the tools and techniques of others, learning from them and adapting them to its own needs. It has been traditionally cautious, waiting an average of three months between attacks.

That hasn’t stopped it profiting, though. A string of heists has bought the group’s total ill-gotten gains to $4.2m as of this month. As it evolves, the group has been broadening its geographical reach and developing new malware to refine its techniques, the report says.

It has also added a new step to its hacking process: a reconnaissance mail. Since late last year, it has started sending emails to potential targets containing a benign image or link. This helps it update its active target list and detect any scanning technologies that the victims use.

Then, armed with a list of valid addresses, it sends them a malicious email. It can carry Microsoft Office documents with malicious macros, CHM files (Compiled HTML, often used by Microsoft’s help system) or .LNKs (a link to an executable file). Successful exploits install the group’s malware loader, Silence.Downloader (aka TrueBot). It has rewritten this loader to build encryption into some of the communication protocol with the command and control (C2) server.

More recently, the group has begun using a fileless loader called Ivoke, written in PowerShell. Silence began using fileless techniques later than other groups, showing that they are studying and then modifying other groups’ techniques, Group-IB said.

These loaders send information about the infected system to a C2 server, which prompts a manual command from the operator. They install either Silence.Main, a modular trojan that controls the victim’s computer and is updated from a Windows C2 server, or another newer trojan called EDA. EDA illustrates the group’s willingness to stand on the shoulders of giants – it is based on two open-source projects, Empire and dnscat2, which are both tools designed for penetration testing.

The group also uses a range of tools enabling it to move laterally across the victim’s network and to control ATM machines.