Banks Around The World Hit With Fileless Malware

Uploaded on 2017-03-06 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

Kaspersky Lab researchers have brought to light a series of attacks leveraged against more than 140 banks and other businesses around the world.

But what makes these attacks unusual is the criminals’ use of widely used legitimate tools and fileless malware, which explains why the attacks went largely unnoticed.

The Discovery

“This threat was originally discovered by a bank’s security team, after detecting Meterpreter code inside the physical memory of a domain controller (DC),” the researchers explained.

“Kaspersky Lab participated in the forensic analysis after this attack was detected, discovering the use of PowerShell scripts within the Windows registry. Additionally, it was discovered that the NETSH utility as used for tunneling traffic from the victim’s host to the attacker´s C2.”

Meterpreter is a well-known Metasploit payload that allows attackers to control the screen of a device using VNC and to browse, upload and download files. NETSH (network shell), is a Windows command-line utility that allows local or remote configuration of network devices.

The attackers also took advantage of the Windows SC utility to install a malicious service to execute PowerShell scripts, and Mimikatz to extract credentials from compromised machines.

“The use of the SC and NETSH utilities requires administrator privileges both in local and remote host. The use of malicious PowerShell scripts also requires privilege escalation and execution policy changes,” the researchers noted.

“In order to achieve this, attackers used credentials from Service accounts with administrative privileges (for example backup, service for remote task scheduler, etc.) grabbed by Mimikatz.”

The attackers’ goal

The attacks on banks were apparently aimed at compromising computers that control ATMs, so the attackers could steal money.

But the use of the Metasploit framework, standard Windows utilities and previously unknown domains that have no WHOIS information makes it difficult to tie these attacks to one or more groups. Also, it is still unknown how the initial infection is performed.

What to do?

The researchers are scheduled to reveal more details about the attacks in April.

In the meantime, they have published Indicators of Compromise (IoCs) and a Yara rule that can be used by banks and organisations to detect these fileless PowerShell attacks on their networks.

“After successful disinfection and cleaning, it is necessary to change all passwords,” they concluded.

HelpNetSecurity:

Only 20% Of UK Banks Can Properly Detect Breaches:    

Emerging Details Of Cyber Assault On A Major UK Bank:

 

 

« Facebook Wants To Eliminate Racially Targeted Advertising
Twitter Gains 2m Users But Loses $457m »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Solarflare

Solarflare

Solarflare is a leading provider of intelligent networking I/O software and hardware platforms that accelerate, monitor and secure network data.

CIRCL

CIRCL

CIRCL is the national Computer Incident Response Center of Luxembourg

Teramind

Teramind

Teramind provides a user-centric security approach to monitor employee behavior in order to identify suspicious activity, detect possible threats, monitor efficiency, and ensure industry compliance.

Untangle

Untangle

Untangle provides network security products designed specifically for the below-enterprise market, safeguarding businesses, home offices, nonprofits, schools and governmental organizations.

QSecure

QSecure

QSecure specializes in the provision of information security and risk management services.

Edvance

Edvance

Edvance operates a range of cybersecurity businesses including value added cybersecurity solutions distribution, security technology innovation and development, and SaS solution offerings.

RHEA Group

RHEA Group

RHEA Group offers aerospace and security engineering services and solutions, system development, and technologies including cyber security.

Cloud Managed Networks

Cloud Managed Networks

Cloud Managed Networks provides enterprise grade IT network solutions for cloud-based and on premise network security, Wi-Fi, data switching, collaboration, device management and more.

Consortium for Information & Software Quality (CISQ)

Consortium for Information & Software Quality (CISQ)

The mission of CISQ is to develop international standards for software quality and to promote the development and sustainment of secure, reliable, and trustworthy software.

Realsec

Realsec

RealSec is an international company and is a developer of encryption and digital signature systems and Blockchain for the Banking and Methods of Payment sectors, Government and Defense and Multisector

Cisco Networking Academy

Cisco Networking Academy

Cisco Networking Academy is the world's largest classroom, bringing technology education, 21st-century skills, and improved jobs prospects since 1997.

Plex IT

Plex IT

Plex IT provides managed IT services to organisations along with managed security services.

Icon Information Systems (ICONIS)

Icon Information Systems (ICONIS)

ICONIS is an integrated infrastructure and service provider, offering unified Information Technology (IT) solutions globally.

CyberAI Group

CyberAI Group

CyberAI's mission is to pioneer the evolution of the cybersecurity landscape globally, by strategically acquiring and elevating IT consulting firms into leaders of cybersecurity innovation.

Defend-OT

Defend-OT

Defend-OT is a Belgium-based cybersecurity firm specializing in OT environments.

SUCCESS Computer Consulting

SUCCESS Computer Consulting

SUCCESS Computer Consulting is a leader in managed IT and security services for small and medium-sized businesses in Minneapolis, St. Paul, and the surrounding Twin Cities Metro area.