Banks, telecommunication companies and government agencies in the US, South America, Europe and Africa are among the top targets, with the notorious GCMAN and Carbanak groups among the key suspects.
Her experts Kaspersky Lab discovered a series of "invisible" targeted attacks that use only legitimate software: widely available tools for penetration testing and tools managementς, καθώς και το πλαίσιο συνεργασίας PowerShell για την αυτοματοποίηση εργασιών στα Windows – με κανένα αρχείο malicioussoftware to be on the hard drive, but hidden in memory. This combined approach helps avoid detection by whitelisting technologies and leaves researchers with almost no artifacts or malware samples to work with.
Attackers remain in the system for a long time to gather information before their tracks disappear from it after the first restart.
At the end of 2016, banks contacted Kaspersky Lab specialists in CIS, who identified the Meterpreter (penetration testing software currently commonly used for malicious purposes) in the memory of their servers at times that were supposed to not it is there. Kaspersky Lab has discovered that the Meterpreter code has been combined with a series of legitimate PowerShell scenarios and other utilities. The combined tools were adapted to malicious code that could be hidden in memory by invisibly collecting system administrator passwords so that attackers would be able to remotely control the victim's systems. The ultimate goal seems to be access to economic processes.
Kaspersky Lab has since revealed that these attacks are happening on a massive scale: blows over 140 business networks in various business sectors, with most victims being in the US, France, Ecuador, Kenya, the United Kingdom and Russia .
The geography of organizations that were attacked by the method discovered
In total, "infections" have been recorded in 40 countries.
It is not yet known who is behind the attacks. The use of open source exploits, common Windows utilities, and unknown regions make it nearly impossible to determine team who was responsible – or even if it is a single team or multiple teams sharing the same tools. Well-known groups that have the most similar approaches are GCMAN and Carbanak.
Such tools also make it more difficult to reveal the details of the attack. The usual procedure used to deal with incidents is that a researcher follows the traces and specimens left to the network by the attackers. And while hard disk data may remain available for one year after the event, objects hidden in memory will be erased when the computer restarts for the first time. Fortunately, in this case, the experts arrived at them in time.
"The determination of attackers to hide their activities and make it increasingly difficult to detect and deal with incidents explains the latest trend in anti-crime techniques and device-based malware. This is why forensic memory research becomes critical to the analysis of malware and its functions. In these specific cases, the attackers used every possible anti-crime technique, proving that there are no malware files required for the successful extraction of data from a network, and that the use of legal and open source utilities makes performance almost impossible. », said Sergey Golovanov, Principal Security Researcher at Kaspersky Lab.
Attackers are still active, so it is important to note that detecting such an attack is only possible in RAM, the network and the registry - and that, in such cases, the use of Yara rules based on scanning malicious files is not have no use.
Details of the second part of the operation, showing how attackers apply unique tactics to withdraw money through ATMs, will be presented by Sergey Golovanov and Igor Soumenkov at the Security Analyst Summit, to be held from 2 to 6 April 2017.
Kaspersky Lab products detect functions using the above tactics, techniques and procedures. More information on this story and the Yara rules on forensic analysis can be found on the dedicated blog on the site Securelist.com. Technical details, including Compromise Indicators, are also provided to customers of Kaspersky Intelligence Services.
