Banks Around The World Hit With Fileless Malware

Uploaded on 2017-03-06 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

Kaspersky Lab researchers have brought to light a series of attacks leveraged against more than 140 banks and other businesses around the world.

But what makes these attacks unusual is the criminals’ use of widely used legitimate tools and fileless malware, which explains why the attacks went largely unnoticed.

The Discovery

“This threat was originally discovered by a bank’s security team, after detecting Meterpreter code inside the physical memory of a domain controller (DC),” the researchers explained.

“Kaspersky Lab participated in the forensic analysis after this attack was detected, discovering the use of PowerShell scripts within the Windows registry. Additionally, it was discovered that the NETSH utility as used for tunneling traffic from the victim’s host to the attacker´s C2.”

Meterpreter is a well-known Metasploit payload that allows attackers to control the screen of a device using VNC and to browse, upload and download files. NETSH (network shell), is a Windows command-line utility that allows local or remote configuration of network devices.

The attackers also took advantage of the Windows SC utility to install a malicious service to execute PowerShell scripts, and Mimikatz to extract credentials from compromised machines.

“The use of the SC and NETSH utilities requires administrator privileges both in local and remote host. The use of malicious PowerShell scripts also requires privilege escalation and execution policy changes,” the researchers noted.

“In order to achieve this, attackers used credentials from Service accounts with administrative privileges (for example backup, service for remote task scheduler, etc.) grabbed by Mimikatz.”

The attackers’ goal

The attacks on banks were apparently aimed at compromising computers that control ATMs, so the attackers could steal money.

But the use of the Metasploit framework, standard Windows utilities and previously unknown domains that have no WHOIS information makes it difficult to tie these attacks to one or more groups. Also, it is still unknown how the initial infection is performed.

What to do?

The researchers are scheduled to reveal more details about the attacks in April.

In the meantime, they have published Indicators of Compromise (IoCs) and a Yara rule that can be used by banks and organisations to detect these fileless PowerShell attacks on their networks.

“After successful disinfection and cleaning, it is necessary to change all passwords,” they concluded.

HelpNetSecurity:

Only 20% Of UK Banks Can Properly Detect Breaches:    

Emerging Details Of Cyber Assault On A Major UK Bank:

 

 

« Facebook Wants To Eliminate Racially Targeted Advertising
Twitter Gains 2m Users But Loses $457m »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

RedTeam Security

RedTeam Security

RedTeam Security is a provider of Penetration Testing, Social Engineering, Red Teaming and Red Team Training services.

Simeio Solutions

Simeio Solutions

Simeio is a complete Identity and Access Management (IAM) solution provider that engages securely with anyone, anywhere, anytime.

Codified Security

Codified Security

Codified is a testing platform for mobile application software. We make it easier than ever for companies to detect and fix security vulnerabilities and ensure their applications are compliant.

Sandline Discovery

Sandline Discovery

Sandline Discovery provides digital forensics, eDiscovery solutions, managed review and litigation consulting services.

Xilinx

Xilinx

Xilinx is the inventor of the FPGA, programmable SoCs, and now, the ACAP. We are building the Adaptable, Intelligent World.

Innovation Cybersecurity Ecosystem at BLOCK71 (ICE71)

Innovation Cybersecurity Ecosystem at BLOCK71 (ICE71)

Innovation Cybersecurity Ecosystem at BLOCK71 (ICE71) is Singapore's first cybersecurity entrepreneur hub.

Invest Ottawa

Invest Ottawa

The IO Accelerator Program is designed to rapidly and systematically accelerate the development and commercial success of high growth technology firms.

SurePassID

SurePassID

SurePassID is a provider of highly secure, highly extensible multi-factor authentication (MFA) solutions.

Cybermerc

Cybermerc

Cybermerc's services, training programmes and cyber security solutions are designed to forge collaborations across industry, government and academia, for collective defence of our digital borders.

Kontex

Kontex

Kontex is a Cyber Security consultancy creating resilient solutions. From Strategy, Advisory and Implementation to Management and everything in between.

A&O IT Group

A&O IT Group

A&O IT Group provide IT support and services including IT Managed Services, IT Project Services, IT Engineer Services and Cyber Security.

ConnectSecure

ConnectSecure

ConnectSecure (formerly CyberCNS) is a global cybersecurity company that delivers tools to identify and address vulnerabilities and manage compliance requirements.

Clearvision

Clearvision

As an Atlassian Platinum Solution Partner, Clearvision works with teams in the UK and US, providing solutions for the Atlassian stack, Git and open source tooling.

Core to Cloud

Core to Cloud

Core to Cloud provide consultancy and technical support for the planning and implementation of sustainable security strategies.

CERT.ar

CERT.ar

CERT.ar is the national Computer Emergency Response Team for the technical-administrative management of computer security incidents in the National Public Sector of Argentina.

Cynclair

Cynclair

Cybersecurity is a complex beast. And we're the beast-tamers. Our team thrives on deciphering the latest threats, building cutting-edge defenses, and making your digital world much safer.