{"id":6553,"date":"2017-02-08T08:30:33","date_gmt":"2017-02-08T16:30:33","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/02\/08\/news-377\/"},"modified":"2017-02-08T08:30:33","modified_gmt":"2017-02-08T16:30:33","slug":"news-377","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/02\/08\/news-377\/","title":{"rendered":"&#039;Invisible&#039; memory-based malware hit over 140 banks, telecoms and government agencies"},"content":{"rendered":"<p><img decoding=\"async\" src=\"http:\/\/zapt2.staticworld.net\/images\/article\/2016\/12\/online-hacker-thinkstock-100700133-large.3x2.jpg\"\/><\/p>\n<p><strong>Credit to Author: Darlene Storm | Date: Wed, 08 Feb 2017 06:39:00 -0800<\/strong><\/p>\n<p>Cybercriminals have hit more than 40 countries with hidden malware that steals passwords and financial data. The malware is not found on hard drives as it hides in the memory of compromised computers, making it almost \u201cinvisible\u201d as criminals exfiltrate system administrators\u2019 credentials and other sensitive data. When a targeted machine is rebooted, nearly all traces of the malware disappear.<\/p>\n<p>Over 140 enterprise networks \u2013 banks, government organizations and telecommunication companies \u2013 from 40 countries have been hit, <a href=\"https:\/\/securelist.com\/blog\/research\/77403\/fileless-attacks-against-enterprise-networks\/\" target=\"_blank\">according to Kaspersky Lab<\/a>. The cybercriminals are using methods and sophisticated malware previously used by nation-state attackers.<\/p>\n<p>The U.S. has been the most targeted country with 21 hidden-malware attacks, followed by 10 attacks in France, nine in Ecuador, eight in Kenya, and seven in both the UK and Russia.<\/p>\n<p>Because the malware manages to hide so well, and poofs after a reboot, the number of infections may be much higher.<\/p>\n<p>The \u201cattacks are ongoing globally against banks themselves,\u201d Kaspersky Lab\u2019s Kurt Baumgartner <a href=\"https:\/\/arstechnica.com\/security\/2017\/02\/a-rash-of-invisible-fileless-malware-is-infecting-banks-around-the-globe\/\" target=\"_blank\">told<\/a> Ars Technica. \u201cThe banks have not been adequately prepared in many cases to deal with this.\u201d The attackers are \u201ctargeting computers that run automatic teller machines\u201d in order to push \u201cmoney out of the banks from within the banks.\u201d<\/p>\n<p>The attackers have embraced anti-forensic techniques to avoid detection; malware loaded to RAM instead of a hard drive helps to keep it undetected as data is being stolen and systems are being remotely controlled. The attackers have used expired domains that have no WHOIS information. By using open source and legitimate tools, the cybercriminals are making attribution nearly impossible.<\/p>\n<p>Researchers from Kaspersky Lab first learned of the \u201cfileless\u201d malware after a bank was attacked and it helped with forensic analysis. The bank found <a href=\"https:\/\/www.offensive-security.com\/metasploit-unleashed\/about-meterpreter\/\" target=\"_blank\">Meterpreter<\/a> code in the memory of a server; Meterpreter was not supposed to be in the physical memory of the domain controller. Digging deeper, the researchers learned that the code had been injected into memory using PowerShell commands. The PowerShell scripts were hidden within Windows registry.<\/p>\n<p>The attackers used <a href=\"https:\/\/www.offensive-security.com\/metasploit-unleashed\/mimikatz\/\" target=\"_blank\">Mimikatz<\/a>, Kaspersky Lab said, to grab credentials from accounts with administrative privileges and <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/bb490939.aspx\" target=\"_blank\">NETSH<\/a> to send stolen data back to their server.<\/p>\n<p>It is presently unclear if the attacker is one group or if several groups are using the same tools. \u201cGiven that the attackers used the Metasploit framework, standard Windows utilities and unknown domains with no WHOIS information, this makes attribution almost impossible,\u201d wrote Kaspersky Lab. However, the researchers noted that similar techniques have been used by the groups GCMAN and Carbanak.<\/p>\n<p>Kaspersky Lab will reveal more details about the attack, as well as how the cybercriminals withdrew money from ATMs, at its <a href=\"https:\/\/sas.kaspersky.com\/\" target=\"_blank\">Security Analyst Summit<\/a> in April.<\/p>\n<p>For now, Kaspersky has listed indicators of compromise; \u201cdetection of this attack would be possible in RAM, network and registry only.\u201d After an infected machine is cleaned, all passwords must be changed. \u201cThis attack shows how no malware samples are needed for successful exfiltration of a network and how standard and open source utilities make attribution almost impossible.\u201d<\/p>\n<p><a href=\"http:\/\/www.computerworld.com\/article\/3167533\/security\/invisible-memory-based-malware-hit-over-140-banks-telecoms-and-government-agencies.html#tk.rss_security\" target=\"bwo\" >http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"http:\/\/zapt2.staticworld.net\/images\/article\/2016\/12\/online-hacker-thinkstock-100700133-large.3x2.jpg\"\/><\/p>\n<article>\n<section class=\"page\">\n<p>Cybercriminals have hit more than 40 countries with hidden malware that steals passwords and financial data. The malware is not found on hard drives as it hides in the memory of compromised computers, making it almost \u201cinvisible\u201d as criminals exfiltrate system administrators\u2019 credentials and other sensitive data. When a targeted machine is rebooted, nearly all traces of the malware disappear.<\/p>\n<p>Over 140 enterprise networks \u2013 banks, government organizations and telecommunication companies \u2013 from 40 countries have been hit, <a href=\"https:\/\/securelist.com\/blog\/research\/77403\/fileless-attacks-against-enterprise-networks\/\" target=\"_blank\">according to Kaspersky Lab<\/a>. The cybercriminals are using methods and sophisticated malware previously used by nation-state attackers.<\/p>\n<p class=\"jumpTag\"><a href=\"\/article\/3167533\/security\/invisible-memory-based-malware-hit-over-140-banks-telecoms-and-government-agencies.html#jump\">To read this article in full or to leave a comment, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[11072,11073,714],"class_list":["post-6553","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-cybercrime-hacking","tag-malware-vulnerabilities","tag-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6553","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6553"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6553\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6553"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6553"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6553"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}