Banks, telecommunication companies and government agencies in the US, South America, Europe and Africa are among the top targets, with the notorious GCMAN and Carbanak groups among the key suspects.
Οι ειδικοί της Kaspersky Lab ανακάλυψαν μια σειρά από «αόρατες» στοχευμένες επιθέσεις που χρησιμοποιούν μόνο νόμιμο λογισμικό: ευρέως διαθέσιμα εργαλεία για penetration tests και εργαλεία διαχείρισης, καθώς και το πλαίσιο συνεργασίας PowerShell για την αυτοματοποίηση εργασιών στα Windows - with no malware files on the hard disk, but hidden in memory. This combined approach helps avoid detection by whitelisting technologies and leaves researchers with almost no objects or samples of malware they could work with.
Attackers remain in the system for a long time to gather information before their tracks disappear from it after the first restart.
At the end of 2016, banks contacted Kaspersky Lab specialists in CIS, who identified the Meterpreter (penetration testing software currently commonly used for malicious purposes) in the memory of their servers at times that were supposed to not it is there. Kaspersky Lab has discovered that the Meterpreter code has been combined with a series of legitimate PowerShell scenarios and other utilities. The combined tools were adapted to malicious code that could be hidden in memory by invisibly collecting system administrator passwords so that attackers would be able to remotely control the victim's systems. The ultimate goal seems to be access to economic processes.
Η Kaspersky Lab έκτοτε αποκάλυψε ότι οι επιθέσεις αυτές συμβαίνουν σε μαζική κλίμακα: πλήγματα σε πάνω από 140 δίκτυα επιχειρήσεων σε διάφορους επιχειρηματικούς τομείς, με τα περισσότερα θύματα να βρίσκονται στις ΗΠΑ, τη Γαλλία, τον Ισημερινό, την Κένυα, το Ηνωμένο Βασίλειο και τη Russia.
The geography of organizations that were attacked by the method discovered
In total, "infections" have been recorded in 40 countries.
It is not yet known who is behind the attacks. The use of open source exploits, common Windows utilities, and unknown regions make it nearly impossible to determine team που ήταν υπεύθυνη – ή ακόμα και αν πρόκειται για μια ενιαία team ή περισσότερες ομάδες που μοιράζονται τα ίδια εργαλεία. Γνωστές ομάδες που έχουν τις περισσότερες παρόμοιες προσεγγίσεις είναι οι GCMAN and Carbanak.
Such tools also make it more difficult to uncover the details of the attack. The usual procedure followed when dealing with incidents is for an investigator to follow the traces and samples left on the network by the attackers. And while the data on the hard disk can remain available for a year after the fact, objects hidden in memory will be deleted when the computer is first restarted. Fortunately, in this case, the experts got to them in time.
"The determination of attackers to hide their activity and make detection and response increasingly difficult explains the latest trend of anti-crime techniques and malware that rely on device memory. This is why forensic research on memory becomes critical to it analysis κακόβουλου λογισμικού και των λειτουργιών του. Σε αυτά τα συγκεκριμένα περιστατικά, οι επιτιθέμενοι χρησιμοποίησαν κάθε δυνατή αντι- εγκληματολογική τεχνική, αποδεικνύοντας πως δεν υπάρχουν αρχεία κακόβουλου λογισμικού που απαιτούνται για την επιτυχημένη εκδιήθηση των δεδομένων από ένα δίκτυο, και πώς η χρήση νόμιμων και ανοικτού κώδικα βοηθητικών προγραμμάτων καθιστά την απόδοση σχεδόν αδύνατη», said Sergey Golovanov, Principal Security Researcher at Kaspersky Lab.
Attackers are still active, so it is important to note that detecting such an attack is only possible in RAM, the network and the registry - and that, in such cases, the use of Yara rules based on scanning malicious files is not have no use.
Details about the second part of it modes, which shows how attackers apply unique tactics to withdraw money through ATMs will be presented by Sergey Golovanov and Igor Soumenkov at the Security Analyst Summit, which will take place from April 2 to 6, 2017.
Kaspersky Lab products detect functions using the above tactics, techniques and procedures. More information about this story and the Yara rules for forensic analysis can be found on the dedicated blog on the site Securelist.com. Technical details, including Compromise Indicators, are also provided to customers of Kaspersky Intelligence Services.
