WHY THIS MATTERS IN BRIEF
- A new form of never seen before malware has been discovered and it’s getting more common, unlike previous forms of malware that rely on files to do their dirty work this one lives in computer memory – and that’s a problem
Just a couple of years ago the researchers at the famous Moscow based Kaspersky Lab discovered that their corporate network had been infected with a type of malware unlike anything they’d ever seen before. Virtually all of the malware resided solely in the memory of the compromised computers – a feat that had allowed the infection to remain undetected for at least six months.
Kaspersky eventually unearthed evidence that Duqu 2.0, as they called it, was derived from Stuxnet, the highly sophisticated computer worm reportedly created by the US and Israel to sabotage Iran’s nuclear program.
Now, “fileless malware,” as it’s formally beginning to be known, is going mainstream as hackers start to mimic their nation sponsored counterparts. According to research Kaspersky Lab plans to publish early next week, the networks of at least 140 banks and other enterprises have been infected by malware that relies on the same in-memory design to remain nearly invisible, but because the infections are so hard to spot, the actual number is likely much higher. Another trait that makes the infections hard to detect is the use of legitimate and widely used system administrative and security tools, including PowerShell, Metasploit, and Mimikatz, that are used to inject the malware into computer memory.
“What’s interesting here is that these attacks are ongoing globally against banks themselves,” says Kaspersky Lab expert Kurt Baumgartner, “the banks have not been adequately prepared in many cases to deal with this.”
He went on to say that people behind the attacks are “pushing money out of the banks from within the banks,” by targeting computers that run automatic teller machines.
The 140 unnamed organizations that have been infected reside in 40 different countries, with the US, France, Ecuador, Kenya, and the UK being the top five most affected nations. The Kaspersky Lab researchers still don’t know if a single group of individuals is behind the attacks, or if they’re being carried out by competing hacker gangs and the use of the fileless malware and command-server domains that aren’t associated with any whois data makes the already difficult task of attribution almost impossible.
The researchers first discovered the malware late last year, when a bank’s security team found a copy of Meterpreter, an in-memory component of Metasploit, residing inside the physical memory of a Microsoft domain controller. After conducting a forensic analysis, the researchers found that the Meterpreter code was downloaded and injected into memory using PowerShell commands. The infected machine also used Microsoft’s NETSH networking tool to transport data to attacker-controlled servers. To obtain the administrative privileges necessary to do these things, the attackers also relied on Mimikatz. To reduce the evidence left in logs or hard drives, the attackers stashed the PowerShell commands into the Windows registry.
Fortunately, the evidence on the domain controller was intact, presumably because it hadn’t been restarted before Kaspersky Lab researchers began their investigation. An analysis of the dumped memory contents and the Windows registries allowed the researchers to restore the Meterpreter and Mimikatz code. The attackers, the researchers later determined, had used the tools to collect passwords of system administrators and for the remote administration of infected host machines.
“We’re talking about a lot of incidents that often varied in the way they were carried out,” said Baumgartner, “we’re looking at the common denominator across all of these incidents, which happens to be this odd use in embedding PowerShell into the registry in order to download Meterpretor and then carry out actions from there with native Windows utilities and system administrative tools.”
The researchers don’t yet know how the malware initially takes hold. Possible vectors include SQL-injection attacks and exploits targeting plugins for the WordPress content management application. Kaspersky Lab plans to provide more details in April about how the infections were used to siphon money out of ATMs. For now, company researchers are providing indicators of compromise and other technical details here.
Another company that’s been making the news recently is Bromium whose new micro-virtualisation approach to beating malware seems to be going down a storm, particularly within the government and national security circles.
“Since our product doesn’t rely on detect-to-protect, fileless malware and other stealth approaches to infecting endpoints pose no challenges, and we can be fully confident micro-virtualization will isolate the malware just fine,” said Ian Pratt, Bromium’s CEO and co-founder.
The message though is clear, malware has evolved – again. Is there something dark lurking in your memory? Computer memory that is…
Source: Kaspersky Lab