GCMAN and Carbanak Hacking in 40 countries with hidden malware

Banks, telecommunication companies and government agencies in the US, South America, Europe and Africa are among the top targets, with the notorious GCMAN and Carbanak groups among the key suspects.

Her experts Lab ανακάλυψαν μια σειρά από «αόρατες» στοχευμένες επιθέσεις που χρησιμοποιούν μόνο νόμιμο λογισμικό: ευρέως διαθέσιμα εργαλεία για δοκιμές διείσδυσης και εργαλεία διαχείρισης, καθώς και το πλαίσιο συνεργασίας PowerShell για την αυτοματοποίηση εργασιών στα Windows – με κανένα αρχείο υ λογισμικού να βρίσκεται στον σκληρό δίσκο, αλλά να κρύβεται στη . Αυτή η συνδυασμένη προσέγγιση βοηθά στην αποφυγή του εντοπισμού από τεχνολογίες whitelisting και αφήνει τους ερευνητές σχεδόν χωρίς αντικείμενα ή δείγματα software they could work with.GCMAN and Carbanak.

Οι επιτιθέμενοι παραμένουν στο σύστημα για αρκετό χρονικό με στόχο να συγκεντρώσουν πληροφορίες πριν τα ίχνη τους εξαφανιστούν από αυτό έπειτα από την πρώτη επανεκκίνηση.

At the end of 2016, banks contacted Kaspersky Lab specialists in CIS, who identified the Meterpreter (penetration testing software currently commonly used for malicious purposes) in the memory of their servers at times that were supposed to not it is there. Kaspersky Lab has discovered that the Meterpreter code has been combined with a series of legitimate PowerShell scenarios and other utilities. The combined tools were adapted to malicious code that could be hidden in memory by invisibly collecting system administrator passwords so that attackers would be able to remotely control the victim's systems. The ultimate goal seems to be access to economic processes.

Kaspersky Lab has since revealed that these attacks are happening on a massive scale: blows over 140 business networks in various business sectors, with most victims being in the US, France, Ecuador, Kenya, the United Kingdom and Russia .

The geography of organizations that were attacked by the method discovered

In total, "infections" have been recorded in 40 countries.

It is not yet known who is behind the attacks. Using open source vulnerabilities, common Windows utilities, and unknown sites make it almost impossible to identify the group that was responsible - or even if it is a single group or more groups sharing the same tools. Well-known groups that have the most similar approaches are GCMAN and Carbanak.

Such tools also make it more difficult to uncover the details of the attack. The usual procedure followed when dealing with incidents is for an investigator to follow the traces and samples left on the network by the attackers. And while the on the hard disk can remain available for a year after the fact, objects hidden in memory will be deleted when the computer is first restarted. Fortunately, in this case, the experts got to them in time.

"The determination of attackers to hide their activity and make detection and response increasingly difficult explains the latest trend of anti-crime techniques and malware that rely on device memory. This is why forensic research on memory becomes critical to it και των λειτουργιών του. Σε αυτά τα συγκεκριμένα περιστατικά, οι επιτιθέμενοι χρησιμοποίησαν κάθε δυνατή αντι- εγκληματολογική τεχνική, αποδεικνύοντας πως δεν υπάρχουν αρχεία κακόβουλου λογισμικού που απαιτούνται για την επιτυχημένη  εκδιήθηση των δεδομένων από ένα δίκτυο, και πώς η χρήση νόμιμων και utility code makes performance nearly impossible,” said Sergey Golovanov, Principal Security Researcher at Kaspersky Lab.

Οι επιτιθέμενοι είναι ακόμα ενεργοί, για αυτό είναι σημαντικό να σημειωθεί ότι η ανίχνευση μιας τέτοιας επίθεσης είναι πιθανή μόνο στη μνήμη , το δίκτυο και το μητρώο – και ότι, σε τέτοιες περιπτώσεις, η χρήση των κανόνων Yara με βάση τη σάρωση κακόβουλων αρχείων δεν έχουν καμία χρήση.

Details of the second part of the operation, showing how attackers apply unique tactics to withdraw money through ATMs, will be presented by Sergey Golovanov and Igor Soumenkov at the Security Analyst Summit, to be held from 2 to 6 April 2017.

Kaspersky Lab products detect functions using the above tactics, techniques and procedures. More information on this story and the Yara rules on forensic analysis can be found on the dedicated blog on the site Securelist.com. Technical details, including Compromise Indicators, are also provided to customers of Kaspersky Intelligence Services.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by Dimitris

Dimitris hates on Mondays .....

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).