This 'invisible' memory-based malware is infiltrating organisations across the globe

[steven36]

Cybercriminals are using legitimate software to collect enterprise passwords and other credentials.

 

 

Cybercriminals are launching 'invisible' attacks to infiltrate the networks of organisations to steal login credentials and financial data -- and the only tool they're using is legitimate software.

It's thought that over 140 organisations including banks, telecommunications companies, and government organisations across the globe have fallen victim to these hidden malware attacks.

 

Discovered by cybersecurity researchers at Kaspersky Lab, the attacks use widely-available tools, including penetration-testing and administration software as well as the PowerShell framework for task automation in Windows, to hide malware in victims' computer memory, instead of the more traditional tactic of dropping it onto the hard drive.

 

 

This form of attack leaves investigators with almost no evidence that an attack took place, and any indication of an incident is removed when the system is rebooted.

 

 

The discovery came after Kaspersky Lab was contacted by banks which had found Meterpreter penetration-testing software in the memory of their servers when it wasn't supposed to be in that location.

Meterpreter had its code combined with legitimate PowerShell scripts and other utilities, with the aim of stealing administrator passwords and remotely controlling machines and systems. All of these factors indicate the attackers are attempting to make off with credentials about financial processes.

 

 

This 'invisible' method of attack makes it difficult to uncover details about incidents because a lack of traces of hacker activity mean the normal processes of incident response don't apply.

It's not known who specifically is behind the attacks, and the use of open source exploits, Windows utilities, and unknown domains make it difficult to identify the exact group, or groups, responsible. However, researchers note that cybercriminal groups such as the Carbanak gang and the GCMAN group use similar approaches.

 

 

The group behind the attacks is still active and has so far successfully attacked organisations in 40 countries. It's the US which has found itself most targeted by the invisible malware so far, with 21 organisations falling victim to this sort of attack there. Other prominent targets include businesses in France, Ecuador, Kenya, the UK, and Russia.

 

 

 

What makes this type of attack particularly dangerous to organisations is that any evidence of it occurring is so well hidden.

 

 

"The determination of attackers to hide their activity and make detection and incident response increasingly difficult explains the latest trend of anti-forensic techniques and memory-based malware. That is why memory forensics is becoming critical to the analysis of malware and its functions," said Sergey Golovanov, principal security researcher at Kaspersky Lab.

 

 

"In these particular incidents, the attackers used every conceivable anti-forensic technique; demonstrating how no malware files are needed for the successful exfiltration of data from a network, and how the use of legitimate and open source utilities makes attribution almost impossible".

 

By  Danny Palmer

http://www.zdnet.com/article/this-invisible-memory-based-malware-is-infiltrating-organisations-across-the-globe/

 

 

[Sylence]

Kaspersky: 'Invisible' memory-based malware hit over 140 banks, telecoms and government agencies

 

 

Cybercriminals have hit more than 40 countries with hidden malware that steals passwords and financial data. The malware is not found on hard drives as it hides in the memory of compromised computers, making it almost “invisible” as criminals exfiltrate system administrators’ credentials and other sensitive data. When a targeted machine is rebooted, nearly all traces of the malware disappear.

Over 140 enterprise networks – banks, government organizations and telecommunication companies – from 40 countries have been hit, according to Kaspersky Lab. The cybercriminals are using methods and sophisticated malware previously used by nation-state attackers.

The U.S. has been the most targeted country with 21 hidden-malware attacks, followed by 10 attacks in France, nine in Ecuador, eight in Kenya, and seven in both the UK and Russia.

Because the malware manages to hide so well, and poofs after a reboot, the number of infections may be much higher.

 

The “attacks are ongoing globally against banks themselves,” Kaspersky Lab’s Kurt Baumgartner told Ars Technica. “The banks have not been adequately prepared in many cases to deal with this.” The attackers are “targeting computers that run automatic teller machines” in order to push “money out of the banks from within the banks.”

 

 

The attackers have embraced anti-forensic techniques to avoid detection; malware loaded to RAM instead of a hard drive helps to keep it undetected as data is being stolen and systems are being remotely controlled. The attackers have used expired domains that have no WHOIS information. By using open source and legitimate tools, the cybercriminals are making attribution nearly impossible.

 

Researchers from Kaspersky Lab first learned of the “fileless” malware after a bank was attacked and it helped with forensic analysis. The bank found Meterpreter code in the memory of a server; Meterpreter was not supposed to be in the physical memory of the domain controller. Digging deeper, the researchers learned that the code had been injected into memory using PowerShell commands. The PowerShell scripts were hidden within Windows registry.

The attackers used Mimikatz, Kaspersky Lab said, to grab credentials from accounts with administrative privileges and NETSH to send stolen data back to their server.

 

It is presently unclear if the attacker is one group or if several groups are using the same tools. “Given that the attackers used the Metasploit framework, standard Windows utilities and unknown domains with no WHOIS information, this makes attribution almost impossible,” wrote Kaspersky Lab. However, the researchers noted that similar techniques have been used by the groups GCMAN and Carbanak.

Kaspersky Lab will reveal more details about the attack, as well as how the cybercriminals withdrew money from ATMs, at its Security Analyst Summitin April.

For now, Kaspersky has listed indicators of compromise; “detection of this attack would be possible in RAM, network and registry only.” After an infected machine is cleaned, all passwords must be changed. “This attack shows how no malware samples are needed for successful exfiltration of a network and how standard and open source utilities make attribution almost impossible.”

 

Computerworld

 

[straycat19]

If you are interested in the technical details of how it works and the code that was retrieved from memory dumps you can find that information here.

 

https://securelist.com/blog/research/77403/fileless-attacks-against-enterprise-networks/