BANKS AND GOVERNMENTS across the globe are being targeted with sophisticated in-memory malware that, security researchers claim, is almost undetectable using conventional security techniques.
According to Kaspersky, more than 140 major organisations in 40 countries, particularly banks but also telecoms companies and governmental organisations, have been affected.
Kaspersky claims to have identified seven organisations in the UK that have been affected, and ten in France. But the US appears to be the most targeted, with 21 organisations affected. Peculiarly, perhaps, Germany and China, according to Kaspersky's data, haven't been affected.
"The attackers, who may be connected to the GCMAN and Carbanak groups, aren't using signature-based malware to carry out their attackers, instead they're using fileless malware hidden in the memory of the affected servers," claims Chris Brook, writing for Kaspersky's Threat Post website.
"Researchers uncovered the attacks after banks in the Commonwealth of Independent States [former Soviet Union] found Meterpreter, an extensible payload component used by Metasploit, inside the physical memory of a domain controller. Researchers with Kaspersky Lab found the software had been combined with PowerShell scripts in order to invisibly siphon up the passwords of system administrators," continued Brook.
Meterpreter is a legitimate penetration testing tool that Kaspersky has previously seen used maliciously by a group it calls GCMan.
This gave the attackers remote access to the machines, "who also used Microsoft's command-line scripting utility NETSH to funnel traffic from the victim's host to the attacker's command and control system", according to Brook.
Kaspersky believes that the attackers also used Mimikatz, an open-source ‘post exploitation' utility, to acquire credentials for administrative level accounts.
According to Kaspersky, the attackers follow a fairly straightforward process. They gain initial entry by using a known exploit for an unpatched server vulnerability. Then, they use Meterpreter and PowerShell scripts to infect targeted computers.
Third, their malware is hidden in memory, typically the Windows registry, to evade detection. At this stage, they are able to gather credentials and other valuable information. Standard utilities, such as NETSH, is used to exfiltrate compromised information.
According to Kaspersky, nearly all traces of the malware will disappear on reboot and, because the malware leaves little trace behind it isn't detected by conventional anti-virus and other security software.
The company hasn't been able to definitively identify a group behind the wave of attacks, but claim that the techniques deployed resemble groups such as GCMan and Carbanak, a gang also known as Anunak, that Kaspersky claims has stolen as much as $1bn from up to 100 banks.
It re-emerged towards the end of last year in a string of attacks targeting call centres in the hospitality sector with the ultimate aim of compromising point-of-sale retail systems.µ
The mighty fall in the Fog of War
Will enable dedicated data rates at more than 10,000 megabits-per-second
Delta Airlines and GE have an app for that
The PC equivalent of Slow TV