In a previous post this blog briefly compared two versions of the Silence group’s proxy malware, a post-intrusion tool used to relay network traffic between a C2 endpoint and a non-internet facing device. This post examines three versions of the group’s downloader and documents how it has changed over the last eighteen months. While some characteristics have persisted, several notable functions have been removed, added, or modified in newer versions of this tool.
Tracking such changes helps analysts determine whether or not a newly discovered sample (on the network or in an online repository) is truly new; in the event that the sample is older and forensic data is missing, it can help approximate when the sample might have been deployed.