Saturday, May 18, 2024

Fileless Memory-Based Malware Attacks Against 140 Banks, Enterprises Networks in 40 Countries

Researchers with Kaspersky Lab’s Global Research and Analysis Team Discovered the  Fileless Memory-Based Malware Attacks Against  More than 140 enterprises–primarily banks, government organizations, and telecommunications firms in 40 countries, including the U.S., France, and Ecuador–have been affected.

The attackers, who may be connected to the GCMAN and Carbanak groups, aren’t using signature-based malware to carry out their attackers, instead they’re using fileless malware hidden in the memory of the affected servers.

Victims

Kaspersky Lab’s said ,This threat was originally discovered by a bank’s security team, after detecting Meterpreter code inside the physical memory of a domain controller (DC). Kaspersky Lab’s product detection names for such kinds of threat are “MEM:Trojan.Win32.Cometer and MEM:Trojan.Win32.Metasploit.”

Kaspersky Lab participated in the forensic analysis after this attack was detected, discovering the use of PowerShell scripts within the Windows registry. Additionally it was discovered that the  NETSH utility as used for tunnelling traffic from the victim’s host to the attacker´s C2.

the Metasploit framework was used to generate scripts like the following one:

Fileless attacks against enterprise networks

Kaspersky Lab’s Described the attack vector  with help of Mimikatz. an open-source, post-exploit utility, to grab credentials for service accounts with admin privileges.

This script allocates memory, resolves WinAPIs and downloads the Meterpreter utility directly to RAM. These kind of scripts may be generated by using the Metasploit Msfvenom utility with the following command line options:

After the successful generation of a script, the attackers used the SC utility to install a malicious service (that will execute the previous script) on the target host. This can be done, for example, using the following command:

The next step after installing the malicious service would be to set up tunnels to access to the infected machine from remote hosts, for example using the following command:

That would result in all network traffic from 10.10.1.11:4444 being forwarded to 10.10.1.12:8080. This technique of setting up proxy tunnels will provide the attackers with the ability to control any PowerShell infected host from remote Internet hosts.

The use of the “SC” and “NETSH” utilities requires administrator privileges both in local and remote host. The use of malicious PowerShell scripts also requires privilege escalation and execution policy changes. In order to achieve this, attackers used credentials from Service accounts with administrative privileges (for example backup, service for remote task scheduler, etc.)

Sergey Golovanov, Principal Security Researcher at Kaspersky Lab said ,

The determination of attackers to hide their activity and make detection and incident response increasingly difficult explains the latest trend of anti-forensic techniques and memory-based malware,” Sergey Golovanov, Principal Security Researcher at Kaspersky Lab said Wednesday.

“That is why memory forensics is becoming critical to the analysis of malware and its functions. In these particular incidents, the attackers used every conceivable anti-forensic technique; demonstrating how no malware files are needed for the successful exfiltration of data from a network, and how the use of legitimate and open source utilities makes attribution almost impossible.

It’s unclear how victim enterprises had their servers hacked in the first place. According to researchers, the attackers used a known exploit for an unpatched vulnerability.

Kaspersky Lab’s  Conclude this Malware Attack as,

Techniques like those described in this report are becoming more common, especially against relevant targets in the banking industry. Unfortunately the use of common tools combined with different tricks makes detection very hard.

In fact, detection of this attack would be possible in RAM, network and registry only. Please check the Appendix I – Indicators of Compromise section for more details on how to detect malicious activity related to this fileless PowerShell attack.

After successful disinfection and cleaning, it is necessary to change all passwords. This attack shows how no malware samples are needed for successful exfiltration of a network and how standard and open source utilities make attribution almost impossible.

Also Read:

Website

Latest articles

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million...

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles