Banks, telecommunication companies and government agencies in the US, South America, Europe and Africa are among the top targets, with the notorious GCMAN and Carbanak groups among the key suspects.
Her experts Kaspersky Lab ανακάλυψαν μια σειρά από «αόρατες» στοχευμένες επιθέσεις που χρησιμοποιούν μόνο νόμιμο λογισμικό: ευρέως διαθέσιμα εργαλεία για δοκιμές διείσδυσης και εργαλεία διαχείρισης, καθώς και το πλαίσιο συνεργασίας PowerShell για την αυτοματοποίηση εργασιών στα Windows – με κανένα αρχείο maliciousυ λογισμικού να βρίσκεται στον σκληρό δίσκο, αλλά να κρύβεται στη μνήμη. Αυτή η συνδυασμένη προσέγγιση βοηθά στην αποφυγή του εντοπισμού από τεχνολογίες whitelisting και αφήνει τους ερευνητές σχεδόν χωρίς αντικείμενα ή δείγματα malicioussoftware they could work with.
Οι επιτιθέμενοι παραμένουν στο σύστημα για αρκετό χρονικό space με στόχο να συγκεντρώσουν πληροφορίες πριν τα ίχνη τους εξαφανιστούν από αυτό έπειτα από την πρώτη επανεκκίνηση.
At the end of 2016, banks contacted Kaspersky Lab specialists in CIS, who identified the Meterpreter (penetration testing software currently commonly used for malicious purposes) in the memory of their servers at times that were supposed to not it is there. Kaspersky Lab has discovered that the Meterpreter code has been combined with a series of legitimate PowerShell scenarios and other utilities. The combined tools were adapted to malicious code that could be hidden in memory by invisibly collecting system administrator passwords so that attackers would be able to remotely control the victim's systems. The ultimate goal seems to be access to economic processes.
Kaspersky Lab has since revealed that these attacks are happening on a massive scale: blows over 140 business networks in various business sectors, with most victims being in the US, France, Ecuador, Kenya, the United Kingdom and Russia .
The geography of organizations that were attacked by the method discovered
In total, "infections" have been recorded in 40 countries.
It is not yet known who is behind the attacks. Using open source vulnerabilities, common Windows utilities, and unknown sites make it almost impossible to identify the group that was responsible - or even if it is a single group or more groups sharing the same tools. Well-known groups that have the most similar approaches are GCMAN and Carbanak.
Such tools also make it more difficult to uncover the details of the attack. The usual procedure followed when dealing with incidents is for an investigator to follow the traces and samples left on the network by the attackers. And while the data on the hard disk can remain available for a year after the fact, objects hidden in memory will be deleted when the computer is first restarted. Fortunately, in this case, the experts got to them in time.
"The determination of attackers to hide their activity and make detection and response increasingly difficult explains the latest trend of anti-crime techniques and malware that rely on device memory. This is why forensic research on memory becomes critical to it malware analysis και των λειτουργιών του. Σε αυτά τα συγκεκριμένα περιστατικά, οι επιτιθέμενοι χρησιμοποίησαν κάθε δυνατή αντι- εγκληματολογική τεχνική, αποδεικνύοντας πως δεν υπάρχουν αρχεία κακόβουλου λογισμικού που απαιτούνται για την επιτυχημένη εκδιήθηση των δεδομένων από ένα δίκτυο, και πώς η χρήση νόμιμων και open utility code makes performance nearly impossible,” said Sergey Golovanov, Principal Security Researcher at Kaspersky Lab.
Οι επιτιθέμενοι είναι ακόμα ενεργοί, για αυτό είναι σημαντικό να σημειωθεί ότι η ανίχνευση μιας τέτοιας επίθεσης είναι πιθανή μόνο στη μνήμη RAM, το δίκτυο και το μητρώο – και ότι, σε τέτοιες περιπτώσεις, η χρήση των κανόνων Yara με βάση τη σάρωση κακόβουλων αρχείων δεν έχουν καμία χρήση.
Details of the second part of the operation, showing how attackers apply unique tactics to withdraw money through ATMs, will be presented by Sergey Golovanov and Igor Soumenkov at the Security Analyst Summit, to be held from 2 to 6 April 2017.
Kaspersky Lab products detect functions using the above tactics, techniques and procedures. More information on this story and the Yara rules on forensic analysis can be found on the dedicated blog on the site Securelist.com. Technical details, including Compromise Indicators, are also provided to customers of Kaspersky Intelligence Services.