When it comes to banks and financial institutes, data security is a crucial area that is always liable to breaches. With the variety of malware evolving today, breaches are becoming more sophisticated, and more inconspicuous than ever.
Russian security firm, Kaspersky Lab, in their report yesterday, reveals one such major breach. A large-scale memory-based malware has reportedly attacked more than 140 enterprises. These are primarily banks, government organizations, and telecommunications firms in 40 countries, including the U.S., France, and Ecuador.
Kaspersky Lab expert Kurt Baumgartner, in a conversation with ArsTechnica, says:
What’s interesting here is that these attacks are ongoing globally against banks themselves. The banks have not been adequately prepared in many cases to deal with this.
Researchers claim to be unsure of who’s behind the attacks. They believe, however, that the approaches bear a resemblance to groups previously uncovered by Kaspersky Lab, like GCMAN and Carbanak. Both attacked banks, extracting large sums of money once into the system.
What is a Fileless Malware?
A fileless infection (fileless malware) is malicious coding that exists only in memory rather than installed to the target computer’s hard drive.
First discovered by Kaspersky in 2014 within their corporate network, fileless malware is different in that, it is written directly to RAM. In fact, the infection remained undetected for more than six months. Kaspersky eventually unearthed evidence of Duqu 2.0, as the never-before-seen malware was dubbed. It was derived from Stuxnet, the highly sophisticated computer worm reportedly created by the US and Israel to sabotage Iran’s nuclear program.
Users typically contract fileless malware by visiting a malicious website, which they may be redirected to after clicking the attacker’s ad (malvertisement).
The malicious code is injected into some running process, instead of copying any files to the hard disk. Because the malware doesn’t exist as a file, it succeeds in avoiding detection by antivirus programs. Moreover, the infection cannot persist through a reboot because RAM, a volatile memory, only holds its data while the system is powered up.
The Malware Attack and Its Consequences
The attack was initially discovered by a bank’s security team after they found a copy of Meterpreter (an in-memory component of Metasploit) inside the physical memory of a Microsoft domain controller.
Fortunately, the evidence on the domain controller was intact. An analysis of the dumped memory contents and the Windows registries allowed the researchers to restore the Meterpreter and Mimikatz code.
On analysis, they found the software combined with PowerShell scripts, stashed into the Windows registry. Consequently, it was possible to invisibly siphon up the passwords of system administrators.
The attack also relied on Microsoft’s NETSH networking tool to set up a proxy tunnel for communicating with the command and control (C&C) server. It allowed remote controlling of the infected host and transport of data to attacker-controlled servers.
Sergey Golovanov, Principal Security Researcher at Kaspersky Lab said:
The determination of attackers to hide their activity and make detection and incident response increasingly difficult explains the latest trend of anti-forensic techniques and memory-based malware.
The main aim behind the attack was simply to monitor, and potentially compromise, computers controlling ATMs, for future heists. It’s unclear how victim enterprises had their servers hacked in the first place. According to researchers, the attackers used a known exploit for an unpatched vulnerability.
More details regarding the attack will be released by Kaspersky in April.For now, details regarding possible compromise has been made available by the company researchers.