{"id":4344,"date":"2017-02-12T21:28:12","date_gmt":"2017-02-12T15:58:12","guid":{"rendered":"https:\/\/www.qadit.com\/blog\/?p=4344"},"modified":"2017-02-12T21:28:12","modified_gmt":"2017-02-12T15:58:12","slug":"fileless-memory-based-malware-plagues-140-banks-enterprises","status":"publish","type":"post","link":"https:\/\/qadit.com\/blog\/fileless-memory-based-malware-plagues-140-banks-enterprises\/","title":{"rendered":"Fileless Memory-Based Malware Plagues 140 Banks, Enterprises"},"content":{"rendered":"
\n
\n

Attackers have been using well-known, standard utilities to carry out attacks on organizations around the world, and covering their tracks by wiping their activity from the machine\u2019s memory before its rebooted.<\/p>\n

The attackers, who may be connected to the GCMAN and Carbanak groups, aren\u2019t using signature-based malware to carry out their attackers, instead they\u2019re using fileless malware hidden in the memory of the affected servers.<\/p>\n

Researchers with Kaspersky Lab\u2019s Global Research and Analysis Team described the attacks Wednesday in a blog post on Securelist<\/a>.<\/p>\n

More than 140 enterprises\u2013primarily banks, government organizations, and telecommunications firms in 40 countries, including the U.S., France, and Ecuador\u2013have been affected, according to Kaspersky.<\/p>\n

\"\"<\/a><\/p>\n

Researchers uncovered the attacks after banks in the Commonwealth of Independent States found Meterpreter, an extensible payload component used by Metasploit, inside the physical memory of a domain controller. Researchers\u00a0with Kaspersky Lab found the software had been combined with PowerShell scripts in order to invisibly siphon up the passwords of system administrators.<\/p>\n

Once they got this information, the researchers claim the attackers essentially had remote access to the machines. They were also spotted using another legitimate utility, Microsoft\u2019s command-line scripting utility NETSH, to funnel traffic from the victim\u2019s host to the attacker\u2019s command and control system.<\/p>\n

Researchers believe attackers used Mimikatz, an open-source, post-exploit utility, to grab credentials for service accounts with admin privileges. After achieving admin privileges, they could use NETSH and another Microsoft utility, SC, and carry out the usage of malicious PowerShell scripts.<\/p>\n

\"\"<\/a><\/p>\n

While researchers were able to determine the techniques used in the attacks; narrowing down who exactly carried them out is difficult given they were carried out with everyday tools and\u00a0how skilled\u00a0the attackers are at evading detection.<\/p>\n

\u201cThe determination of attackers to hide their activity and make detection and incident response increasingly difficult explains the latest trend of anti-forensic techniques and memory-based malware,\u201d Sergey Golovanov, Principal Security Researcher at Kaspersky Lab said Wednesday.<\/p>\n

\u201cThat is why memory forensics is becoming critical to the analysis of malware and its functions. In these particular incidents, the attackers used every conceivable anti-forensic technique; demonstrating how no malware files are needed for the successful exfiltration of data from a network, and how the use of legitimate and open source utilities makes attribution almost impossible.\u201d<\/p>\n

It\u2019s unclear how victim enterprises had their servers hacked in the first place. According to researchers, the attackers used a known exploit for an unpatched vulnerability.<\/p>\n

Golovanov and Igor Soumenkov, another researcher with the company\u2019s GReAT team plan to present additional details around the operation \u2013 including a second part, how attackers extracted money from banks via ATMs \u2013 in April, at the Kaspersky Lab Security Analyst Summit<\/a>.<\/p>\n

While researchers claim they\u2019re unsure who\u2019s behind the attacks, they said\u00a0their approaches do bear a resemblance to groups previously uncovered by Kaspersky Lab, such as\u00a0GCMAN and Carbanak.<\/p>\n

Like these attacks, GCMAN<\/a>, a group the firm described at the Security Analyst Summit last year, used legitimate pen-testing tools, like Meterpreter, to target banks. Once inside a network, they pivoted, bouncing around from machine to machine until they could transfer money from a bank computer to e-currency services. Attackers managed in one instance to transfer $200 payments per minute to a money-mule account without the bank being any the wiser.<\/p>\n

Details around\u00a0the Carbanak<\/a> gang, a group of attackers who purportedly stole $1 billion from 100 banks, emerged at the Security Analyst Summit in 2015. In that campaign attackers used a one-two punch of a spear-phishing email and a backdoor to manipulate access to banking networks and steal money.<\/p>\n

Over the last few months the group has reemerged and been seen shifting its gears, in November 2016 <\/a>it began targeting the hospitality and restaurant industry. Last month<\/a> it was learned the group was using Google hosted services for its command and control channels.<\/p>\n<\/div>\n<\/div>\n

via https:\/\/ift.tt\/2kUmrbX<\/p>\n","protected":false},"excerpt":{"rendered":"

Attackers have been using well-known, standard utilities to carry out attacks on organizations around the world, and covering their tracks by wiping their activity from the machine\u2019s memory before its rebooted. The attackers, who may be connected to the GCMAN and Carbanak groups, aren\u2019t using signature-based malware to carry out their attackers, instead they\u2019re using … <\/p>\n

Continue reading “Fileless Memory-Based Malware Plagues 140 Banks, Enterprises”<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[12],"tags":[],"class_list":["post-4344","post","type-post","status-publish","format-standard","hentry","category-itsec"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9AH7Q-184","_links":{"self":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/4344","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/comments?post=4344"}],"version-history":[{"count":1,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/4344\/revisions"}],"predecessor-version":[{"id":4345,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/4344\/revisions\/4345"}],"wp:attachment":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/media?parent=4344"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/categories?post=4344"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/tags?post=4344"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}