Wednesday, September 18, 2024
HomeMalwareFileless Memory-Based Malware Attacks Against 140 Banks, Enterprises Networks in 40 Countries

Fileless Memory-Based Malware Attacks Against 140 Banks, Enterprises Networks in 40 Countries

Published on

Researchers with Kaspersky Lab’s Global Research and Analysis Team Discovered the  Fileless Memory-Based Malware Attacks Against  More than 140 enterprises–primarily banks, government organizations, and telecommunications firms in 40 countries, including the U.S., France, and Ecuador–have been affected.

The attackers, who may be connected to the GCMAN and Carbanak groups, aren’t using signature-based malware to carry out their attackers, instead they’re using fileless malware hidden in the memory of the affected servers.

Victims

Kaspersky Lab’s said ,This threat was originally discovered by a bank’s security team, after detecting Meterpreter code inside the physical memory of a domain controller (DC). Kaspersky Lab’s product detection names for such kinds of threat are “MEM:Trojan.Win32.Cometer and MEM:Trojan.Win32.Metasploit.”

- Advertisement - EHA

Kaspersky Lab participated in the forensic analysis after this attack was detected, discovering the use of PowerShell scripts within the Windows registry. Additionally it was discovered that the  NETSH utility as used for tunnelling traffic from the victim’s host to the attacker´s C2.

the Metasploit framework was used to generate scripts like the following one:

Fileless attacks against enterprise networks

Kaspersky Lab’s Described the attack vector  with help of Mimikatz. an open-source, post-exploit utility, to grab credentials for service accounts with admin privileges.

This script allocates memory, resolves WinAPIs and downloads the Meterpreter utility directly to RAM. These kind of scripts may be generated by using the Metasploit Msfvenom utility with the following command line options:

After the successful generation of a script, the attackers used the SC utility to install a malicious service (that will execute the previous script) on the target host. This can be done, for example, using the following command:

The next step after installing the malicious service would be to set up tunnels to access to the infected machine from remote hosts, for example using the following command:

That would result in all network traffic from 10.10.1.11:4444 being forwarded to 10.10.1.12:8080. This technique of setting up proxy tunnels will provide the attackers with the ability to control any PowerShell infected host from remote Internet hosts.

The use of the “SC” and “NETSH” utilities requires administrator privileges both in local and remote host. The use of malicious PowerShell scripts also requires privilege escalation and execution policy changes. In order to achieve this, attackers used credentials from Service accounts with administrative privileges (for example backup, service for remote task scheduler, etc.)

Sergey Golovanov, Principal Security Researcher at Kaspersky Lab said ,

The determination of attackers to hide their activity and make detection and incident response increasingly difficult explains the latest trend of anti-forensic techniques and memory-based malware,” Sergey Golovanov, Principal Security Researcher at Kaspersky Lab said Wednesday.

“That is why memory forensics is becoming critical to the analysis of malware and its functions. In these particular incidents, the attackers used every conceivable anti-forensic technique; demonstrating how no malware files are needed for the successful exfiltration of data from a network, and how the use of legitimate and open source utilities makes attribution almost impossible.

It’s unclear how victim enterprises had their servers hacked in the first place. According to researchers, the attackers used a known exploit for an unpatched vulnerability.

Kaspersky Lab’s  Conclude this Malware Attack as,

Techniques like those described in this report are becoming more common, especially against relevant targets in the banking industry. Unfortunately the use of common tools combined with different tricks makes detection very hard.

In fact, detection of this attack would be possible in RAM, network and registry only. Please check the Appendix I – Indicators of Compromise section for more details on how to detect malicious activity related to this fileless PowerShell attack.

After successful disinfection and cleaning, it is necessary to change all passwords. This attack shows how no malware samples are needed for successful exfiltration of a network and how standard and open source utilities make attribution almost impossible.

Also Read:

Latest articles

UNC2970 Hackers Attacking Job Seekers Using Weaponized PDF Reader

UNC2970, a North Korean cyber espionage group, used customized SumatraPDF trojans to deliver MISTPEN...

Microsoft Windows Kernel Vulnerability Exploited in the Wild

Microsoft has confirmed the exploitation of a Windows Kernel vulnerability, identified as CVE-2024-37985, in...

Discord Announces End-to-End Encryption for Audio & Video Chats

Discord has introduced end-to-end encryption (E2EE) for audio and video chats.Known as the...

Threat Actor Allegedly Selling Bharat Petroleum Database

A threat actor has allegedly put up for sale a database belonging to Bharat...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Hackers Exploiting Selenium Grid Tool To Deploy Exploit Kit & Proxyjacker

Two campaigns targeting Selenium Grid's default lack of authentication are underway, as threat actors...

North Korean Hackers Attacking LinkedIn Users to Deliver RustDoor Malware

North Korean hackers have been identified as targeting LinkedIn users to deliver sophisticated malware...

Crimson Palace Returns With New Hacking Tolls And Tactics

Cluster Bravo, despite its brief initial activity, subsequently targeted 11 organizations in the same...