There has been an influx of file-less malware targeting banks around the globe. In-memory malware goes mainstream.
Two years ago, researchers at Moscow-based Kaspersky Lab discovered their corporate network was infected with malware. They have said that this malware is unlike anything they had ever seen.
In this case, the malware resided solely in the memory of the infected computer.
This is an awesome feat they have done as means of infecting a computer. It allowed the infection to remain undetected for six months or more within their system.
This malware was dubbed Duqu 2.0 by Kaspersky once they have detected it.
The name was derived from Stuxnet, the highly sophisticated computer worm reportedly created by the US and Israel to sabotage Iran’s nuclear program.
Fast forward to now, file-less malware is going mainstream. Financially motivated hackers mimic their nation sponsored counterparts.
According to research Kaspersky Lab plans to publish Wednesday, networks belonging to at least 140 banks and other enterprises have been infected by malware that relies on the same in-memory design to remain nearly invisible.
The actual numbers will be higher than expected since the infections are so hard to spot and detect.
Another trait that makes the infections hard to detect is the use of legitimate and widely used system administrative and security tools—including PowerShell, Metasploit, and Mimikatz—to inject the malware into computer memory.
The banks are not actually prepared to deal with these attacks. The people who are behind these are basically pushing money out of the banks from within the banks specifically targeting ATM machines.
As of now, 140 unnamed organizations been infected and maybe more. It has been said that 40 countries are affected which include US, France, UK, Kenya and Ecuador among the top 5 namely.
It is not known if there is more than one group responsible for the attack being carried out. One possibility is that they are being carried out by competing hackers or gangs.
It is difficult or nearly impossible to accurately pinpoint where it is coming from since the fileless malware and its command-server domains are not associated with any whois data that can be scrutinized.
The researchers first discovered the malware late last year, when a bank’s security team found a copy of Meterpreter—an in-memory component of Metasploit—residing inside the physical memory of a Microsoft domain controller. After conducting a forensic analysis, the researchers found that the Meterpreter code was downloaded and injected into memory using PowerShell commands. The infected machine also used Microsoft’s NETSH networking tool to transport data to attacker-controlled servers. To obtain the administrative privileges necessary to do these things, the attackers also relied on Mimikatz. To reduce the evidence left in logs or hard drives, the attackers stashed the PowerShell commands into the Windows registry.
Fortunately, the evidence on the domain controller was intact, presumably because it hadn’t been restarted before Kaspersky Lab researchers began their investigation. An analysis of the dumped memory contents and the Windows registries allowed the researchers to restore the Meterpreter and Mimikatz code. The attackers, the researchers later determined, had used the tools to collect passwords of system administrators and for the remote administration of infected host machines.
There has been numerous ways and often had variations on how it was carried out.
It is hard to fathom that Kaspersky themselves got compromised.
Although they figured out a common denominator, which is this odd use in embedding PowerShell into the registry in order to download Meterpretor and then carry out actions from there with native Windows utilities and system administrative tools.
As of now, the security researchers have not yet determined how the malware initially gets into the system.
They have a couple of theories and one of which is possible vectors include SQL-injection attacks and exploits targeting plugins for the WordPress content management application has been utilized.
Kaspersky Lab plans to provide more details in April about how the infections were used to siphon money out of ATMs.
For more technical details click here.