Banks Around The World Hit With Fileless Malware

Kaspersky Lab researchers have brought to light a series of attacks leveraged against more than 140 banks and other businesses around the world.

But what makes these attacks unusual is the criminals’ use of widely used legitimate tools and fileless malware, which explains why the attacks went largely unnoticed.

The Discovery

“This threat was originally discovered by a bank’s security team, after detecting Meterpreter code inside the physical memory of a domain controller (DC),” the researchers explained.

“Kaspersky Lab participated in the forensic analysis after this attack was detected, discovering the use of PowerShell scripts within the Windows registry. Additionally, it was discovered that the NETSH utility as used for tunneling traffic from the victim’s host to the attacker´s C2.”

Meterpreter is a well-known Metasploit payload that allows attackers to control the screen of a device using VNC and to browse, upload and download files. NETSH (network shell), is a Windows command-line utility that allows local or remote configuration of network devices.

The attackers also took advantage of the Windows SC utility to install a malicious service to execute PowerShell scripts, and Mimikatz to extract credentials from compromised machines.

“The use of the SC and NETSH utilities requires administrator privileges both in local and remote host. The use of malicious PowerShell scripts also requires privilege escalation and execution policy changes,” the researchers noted.

“In order to achieve this, attackers used credentials from Service accounts with administrative privileges (for example backup, service for remote task scheduler, etc.) grabbed by Mimikatz.”

The attackers’ goal

The attacks on banks were apparently aimed at compromising computers that control ATMs, so the attackers could steal money.

But the use of the Metasploit framework, standard Windows utilities and previously unknown domains that have no WHOIS information makes it difficult to tie these attacks to one or more groups. Also, it is still unknown how the initial infection is performed.

What to do?

The researchers are scheduled to reveal more details about the attacks in April.

In the meantime, they have published Indicators of Compromise (IoCs) and a Yara rule that can be used by banks and organisations to detect these fileless PowerShell attacks on their networks.

“After successful disinfection and cleaning, it is necessary to change all passwords,” they concluded.

HelpNetSecurity:

Only 20% Of UK Banks Can Properly Detect Breaches:    

Emerging Details Of Cyber Assault On A Major UK Bank:

 

 

« Facebook Wants To Eliminate Racially Targeted Advertising
Twitter Gains 2m Users But Loses $457m »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Booz Allen Hamilton

Booz Allen Hamilton

Booz Allen Hamilton is a management & tech consulting firm. Technology services include cloud computing, cyber security, systems development and integration.

Malware.lu

Malware.lu

Malware.lu is a repository of malware and technical analysis. The goal of the project is to provide samples and technical analysis to security researchers.

MIIS Cyber Initiative

MIIS Cyber Initiative

The Cyber Initiative's mission is to assess the impact of the information age on security, peace and communications.

Panaseer

Panaseer

Panaseer is an enterprise cybersecurity automation and data analytics company that helps organizations stop preventable breaches by ensuring security controls are working effectively.

Evidence Talks (ETL)

Evidence Talks (ETL)

A leading forensic computing authority developing unique digital forensic technologies. Tools that detect potential terrorists & criminals & used by the military, enforcement & intelligence commmunity

Lexsynergy

Lexsynergy

Lexsynergy is a global domain name management and online brand protection company.

High Wire Networks

High Wire Networks

High Wire Network’s Overwatch Managed Security Plaform-as-a-Service offers organizations end-to-end protection for networks, data, endpoints and users.

Upfront Security

Upfront Security

Upfront Security helps companies with innovative products & services to prevent, recognise and recover from (identity) fraud.

Identity Management Institute (IMI)

Identity Management Institute (IMI)

Identity Management Institute (IMI) provides professional training and certification in cyber security with a focus on identity and access management, identity theft, and data protection.

Buchanan & Edwards

Buchanan & Edwards

Buchanan & Edwards delivers forward-focused technology solutions that help our clients transform the way they perform their missions.

Guernsey

Guernsey

Guernsey provides a wide range of engineering, architecture and consulting services to multiple markets, including cybersecurity consulting and CMMC certification.

Protectt.ai Labs

Protectt.ai Labs

Protectt.ai Labs is India’s first mobile security start up building awareness & providing solutions for mobile app, device & transaction security.

Kirk ISS

Kirk ISS

Kirk ISS are the leading provider of IT services in the Cayman Islands. We offer best-in class hardware, software, communications and cloud computing, all backed by professional services support.

Stack Identity

Stack Identity

Stack Identity protects access to cloud data by prioritizing identity and access vulnerabilities via a live data attack map.

OneCollab

OneCollab

OneCollab, your unwavering ally in the dynamic landscape of IT services and cybersecurity.

Togggle

Togggle

Togggle offers seamless identity verification solutions and distributed infrastructure, enabling organizations to combat fraud and ensure compliance with data protection regulations.