Monday, March 4, 2024

Fileless Memory-Based Malware Attacks Against 140 Banks, Enterprises Networks in 40 Countries

Researchers with Kaspersky Lab’s Global Research and Analysis Team Discovered the  Fileless Memory-Based Malware Attacks Against  More than 140 enterprises–primarily banks, government organizations, and telecommunications firms in 40 countries, including the U.S., France, and Ecuador–have been affected.

The attackers, who may be connected to the GCMAN and Carbanak groups, aren’t using signature-based malware to carry out their attackers, instead they’re using fileless malware hidden in the memory of the affected servers.

Victims

Kaspersky Lab’s said ,This threat was originally discovered by a bank’s security team, after detecting Meterpreter code inside the physical memory of a domain controller (DC). Kaspersky Lab’s product detection names for such kinds of threat are “MEM:Trojan.Win32.Cometer and MEM:Trojan.Win32.Metasploit.”

Kaspersky Lab participated in the forensic analysis after this attack was detected, discovering the use of PowerShell scripts within the Windows registry. Additionally it was discovered that the  NETSH utility as used for tunnelling traffic from the victim’s host to the attacker´s C2.

the Metasploit framework was used to generate scripts like the following one:

Fileless attacks against enterprise networks

Kaspersky Lab’s Described the attack vector  with help of Mimikatz. an open-source, post-exploit utility, to grab credentials for service accounts with admin privileges.

This script allocates memory, resolves WinAPIs and downloads the Meterpreter utility directly to RAM. These kind of scripts may be generated by using the Metasploit Msfvenom utility with the following command line options:

After the successful generation of a script, the attackers used the SC utility to install a malicious service (that will execute the previous script) on the target host. This can be done, for example, using the following command:

The next step after installing the malicious service would be to set up tunnels to access to the infected machine from remote hosts, for example using the following command:

That would result in all network traffic from 10.10.1.11:4444 being forwarded to 10.10.1.12:8080. This technique of setting up proxy tunnels will provide the attackers with the ability to control any PowerShell infected host from remote Internet hosts.

The use of the “SC” and “NETSH” utilities requires administrator privileges both in local and remote host. The use of malicious PowerShell scripts also requires privilege escalation and execution policy changes. In order to achieve this, attackers used credentials from Service accounts with administrative privileges (for example backup, service for remote task scheduler, etc.)

Sergey Golovanov, Principal Security Researcher at Kaspersky Lab said ,

The determination of attackers to hide their activity and make detection and incident response increasingly difficult explains the latest trend of anti-forensic techniques and memory-based malware,” Sergey Golovanov, Principal Security Researcher at Kaspersky Lab said Wednesday.

“That is why memory forensics is becoming critical to the analysis of malware and its functions. In these particular incidents, the attackers used every conceivable anti-forensic technique; demonstrating how no malware files are needed for the successful exfiltration of data from a network, and how the use of legitimate and open source utilities makes attribution almost impossible.

It’s unclear how victim enterprises had their servers hacked in the first place. According to researchers, the attackers used a known exploit for an unpatched vulnerability.

Kaspersky Lab’s  Conclude this Malware Attack as,

Techniques like those described in this report are becoming more common, especially against relevant targets in the banking industry. Unfortunately the use of common tools combined with different tricks makes detection very hard.

In fact, detection of this attack would be possible in RAM, network and registry only. Please check the Appendix I – Indicators of Compromise section for more details on how to detect malicious activity related to this fileless PowerShell attack.

After successful disinfection and cleaning, it is necessary to change all passwords. This attack shows how no malware samples are needed for successful exfiltration of a network and how standard and open source utilities make attribution almost impossible.

Also Read:

Website

Latest articles

US Court Orders NSO Group to Handover Code for Spyware, Pegasus to WhatsApp

Meta, the company that owns WhatsApp, filed a lawsuit against NSO Group in 2019....

New SSO-Based Phishing Attack Trick Users into Sharing Login Credentials  

Threat actors employ phishing scams to trick individuals into giving away important details like...

U.S. Charged Iranian Hacker, Rewards up to $10 Million

The United States Department of Justice (DoJ) has charged an Iranian national, Alireza Shafie...

Huge Surge in Ransomware-as-a-Service Attacks targeting Middle East & Africa

The Middle East and Africa (MEA) region has witnessed a surge in ransomware-as-a-service (RaaS)...

New Silver SAML Attack Let Attackers Forge Any SAML Response To Entra ID

SolarWinds cyberattack was one of the largest attacks of the century in which attackers...

AI Worm Developed by Researchers Spreads Automatically Between AI Agents

Researchers have developed what they claim to be one of the first generative AI...

20 Million+ Cutout.Pro User Records Leaked On Hacking Forums

CutOut.Pro, an AI-powered photo and video editing platform, has reportedly suffered a data breach,...

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles