Banks, telecommunication companies and government agencies in the US, South America, Europe and Africa are among the top targets, with the notorious GCMAN and Carbanak groups among the key suspects.
Kaspersky Lab specialists have discovered a series of "invisible" targeted attacks using legitimate software only: widely available penetration testing tools and management tools, as well as the PowerShell collaboration framework for automating Windows tasks - no malware to the hard disk, but to be hidden in memory. This combined approach helps avoid detection by whitelisting technologies and leaves researchers almost without objects or malware samples with which they could work.
Attackers remain in the system for a long time to gather information before their tracks disappear from it after the first restart.
At the end of 2016, banks contacted Kaspersky Lab specialists in CIS, who identified the Meterpreter (penetration testing software currently commonly used for malicious purposes) in the memory of their servers at times that were supposed to not it is there. Kaspersky Lab has discovered that the Meterpreter code has been combined with a series of legitimate PowerShell scenarios and other utilities. The combined tools were adapted to malicious code that could be hidden in memory by invisibly collecting system administrator passwords so that attackers would be able to remotely control the victim's systems. The ultimate goal seems to be access to economic processes.
Kaspersky Lab has since revealed that these attacks are happening on a massive scale: blows over 140 business networks in various business sectors, with most victims being in the US, France, Ecuador, Kenya, the United Kingdom and Russia .
The geography of organizations that were attacked by the method discovered
In total, "infections" have been recorded in 40 countries.
It is not yet known who is behind the attacks. Using open source vulnerabilities, common Windows utilities, and unknown sites make it almost impossible to identify the group that was responsible - or even if it is a single group or more groups sharing the same tools. Well-known groups that have the most similar approaches are GCMAN and Carbanak.
Such tools also make it more difficult to reveal the details of the attack. The usual procedure used to deal with incidents is that a researcher follows the traces and specimens left to the network by the attackers. And while hard disk data may remain available for one year after the event, objects hidden in memory will be erased when the computer restarts for the first time. Fortunately, in this case, the experts arrived at them in time.
"The determination of attackers to hide their activities and make it increasingly difficult to detect and deal with incidents explains the latest trend in anti-crime techniques and device-based malware. This is why forensic memory research becomes critical to the analysis of malware and its functions. In these specific cases, the attackers used every possible anti-crime technique, proving that there are no malware files required for the successful extraction of data from a network, and that the use of legal and open source utilities makes performance almost impossible. », said Sergey Golovanov, Principal Security Researcher at Kaspersky Lab.
Attackers are still active, so it is important to note that detecting such an attack is only possible in RAM, the network and the registry - and that, in such cases, the use of Yara rules based on scanning malicious files is not have no use.
Details of the second part of the operation, showing how attackers apply unique tactics to withdraw money through ATMs, will be presented by Sergey Golovanov and Igor Soumenkov at the Security Analyst Summit, to be held from 2 to 6 April 2017.
Kaspersky Lab products detect functions using the above tactics, techniques and procedures. More information on this story and the Yara rules on forensic analysis can be found on the dedicated blog on the site Securelist.com. Technical details, including Compromise Indicators, are also provided to customers of Kaspersky Intelligence Services.