Banks Around The World Hit With Fileless Malware

Uploaded on 2017-03-06 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

Kaspersky Lab researchers have brought to light a series of attacks leveraged against more than 140 banks and other businesses around the world.

But what makes these attacks unusual is the criminals’ use of widely used legitimate tools and fileless malware, which explains why the attacks went largely unnoticed.

The Discovery

“This threat was originally discovered by a bank’s security team, after detecting Meterpreter code inside the physical memory of a domain controller (DC),” the researchers explained.

“Kaspersky Lab participated in the forensic analysis after this attack was detected, discovering the use of PowerShell scripts within the Windows registry. Additionally, it was discovered that the NETSH utility as used for tunneling traffic from the victim’s host to the attacker´s C2.”

Meterpreter is a well-known Metasploit payload that allows attackers to control the screen of a device using VNC and to browse, upload and download files. NETSH (network shell), is a Windows command-line utility that allows local or remote configuration of network devices.

The attackers also took advantage of the Windows SC utility to install a malicious service to execute PowerShell scripts, and Mimikatz to extract credentials from compromised machines.

“The use of the SC and NETSH utilities requires administrator privileges both in local and remote host. The use of malicious PowerShell scripts also requires privilege escalation and execution policy changes,” the researchers noted.

“In order to achieve this, attackers used credentials from Service accounts with administrative privileges (for example backup, service for remote task scheduler, etc.) grabbed by Mimikatz.”

The attackers’ goal

The attacks on banks were apparently aimed at compromising computers that control ATMs, so the attackers could steal money.

But the use of the Metasploit framework, standard Windows utilities and previously unknown domains that have no WHOIS information makes it difficult to tie these attacks to one or more groups. Also, it is still unknown how the initial infection is performed.

What to do?

The researchers are scheduled to reveal more details about the attacks in April.

In the meantime, they have published Indicators of Compromise (IoCs) and a Yara rule that can be used by banks and organisations to detect these fileless PowerShell attacks on their networks.

“After successful disinfection and cleaning, it is necessary to change all passwords,” they concluded.

HelpNetSecurity:

Only 20% Of UK Banks Can Properly Detect Breaches:    

Emerging Details Of Cyber Assault On A Major UK Bank:

 

 

« Facebook Wants To Eliminate Racially Targeted Advertising
Twitter Gains 2m Users But Loses $457m »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CyberDefenses

CyberDefenses

CyberDefenses services combine best-in-class cybersecurity oversight, managed services and training to help our clients truly address their cybersecurity challenges.

Luxembourg Institute of Science & Technology (LIST)

Luxembourg Institute of Science & Technology (LIST)

LIST is a mission-driven Research and Technology Organisation. Areas of research include IT and aspects of IT security.

Network Integrity Systems

Network Integrity Systems

Network Integrity Systems is a leader in network infrastructure security and offers solutions specifically developed for Government and Private Enterprise.

ESL Bangladesh

ESL Bangladesh

ESL is the Largest IT Infrastructure & Telecom Service Provider in Bangladesh.

guardDog.ai

guardDog.ai

guardDog.ai has developed a cloud-based software service with a companion device that work together to simplify network security.

X Technologies

X Technologies

X Technologies provide world-class engineering, information technology, information security, program management and repair services to Federal, State and commercial customers.

Computer Services Inc (CSI)

Computer Services Inc (CSI)

CSI is a leading fintech, regtech and cybersecurity solutions partner operating at the intersection of innovation and service.

Digimune

Digimune

Digimune is an all-encompassing cloud-based cyber risk protection platform that guards you against the dangers of our digital world.

AArete

AArete

AArete is a global management and technology consulting firm specializing in strategic profitability improvement, digital transformation, and advisory services.

Somerville

Somerville

Somerville are a full service IT partner with over 40 years experience delivering exceptional service and value to our customers.

V3 Cybersecurity

V3 Cybersecurity

V3 Cybersecurity is a unique company focused on contextualization of security programs from a business perspective. Our mission is to provide enterprise IT Risk Management capabilities.

Diversified Search Group - Alta Associates

Diversified Search Group - Alta Associates

Diversified Search Group is an industry leader in recruiting diverse, inclusive and transformational leadership for clients.

C2 Risk

C2 Risk

C2 Risk are focussed on risk analytics for information assurance, privacy and ESG (Environmental, Social, and Governance).

Karate Labs

Karate Labs

Karate is an open-source unified test automation platform combining API testing, API performance testing, API mocks & UI testing.

Antivirus Tales

Antivirus Tales

Antivirus Tales offers a platform to resolve all types of antivirus-related issues. The platform also provide various blog articles and informative guides to fix antivirus software errors.

Cyborg Security

Cyborg Security

Cyborg Security is a team of threat hunters, threat intelligence analysts, and security researchers from across North America.