Banks and governments targeted in wave of 'file-less' in-memory malware attacks

Nation-state attackers believed to be behind wave of sophisticated, security-evading malware

The global banking system and governments worldwide are being targeted with sophisticated in-memory malware that, security researchers claim, is almost undetectible using conventional security techniques.

According to security software company Kaspersky, more than 140 major organisations in 40 countries, particularly banks, but also telecoms companies and governmental organisations, have been affected.

Kaspersky claims to have identified seven organisations in the UK that have been affected, and ten in France. But the US appears to be the most targeted, with 21 organisations affected. Peculiarly, perhaps, Germany and China, according to Kaspersky's data, haven't been affected.

"The attackers, who may be connected to the GCMAN and Carbanak groups, aren't using signature-based malware to carry out their attackers, instead they're using fileless malware hidden in the memory of the affected servers," claims Chris Brook, writing for Kaspersky's Threat Post website.

"Researchers uncovered the attacks after banks in the Commonwealth of Independent States [former Soviet Union] found Meterpreter, an extensible payload component used by Metasploit, inside the physical memory of a domain controller. Researchers with Kaspersky Lab found the software had been combined with PowerShell scripts in order to invisibly siphon up the passwords of system administrators," continued Brook.

Meterpreter is a legitimate penetration testing tool that Kaskersky has previously seen used maliciously by a group it calls GCMan.

This gave the attackers remote access to the machines, "who also used Microsoft's command-line scripting utility NETSH to funnel traffic from the victim's host to the attacker's command and control system", according to Brook.

Kaspersky believes that the attackers also used Mimikatz, an open-source ‘post exploitation' utility, to acquire credentials for administrative level accounts.

According to Kaspersky, the attackers follow a fairly straighforward process. They gain initial entry by using a known exploit for an unpatched server vulnerability. Then, they use Meterpreter and PowerShell scripts to infect targeted computers.

Third, their malware is hidden in memory, typically the Windows registry, to evade detection. At this stage, they are able to gather credentials and other valuable information. Standard utilities, such as NETSH, is used to exfiltrate compromised information.

According to Kaspersky, nearly all traces of the malware will disappear on reboot and, because the malware leaves little trace behind it isn't detected by conventional anti-virus and other security software.

The company hasn't been able to definitively identify a group behind the wave of attacks, but claim that the techniques deployed resemble groups such as GCMan and Carbanak, a gang also known as Anunak that Kaspersky claims has stolen as much as $1bn from up to 100 banks.

It re-emerged towards the end of last year in a string of attacks targeting call centres in the hospitality sector with the ultimate aim of compromising point-of-sale retail systems.

The claims from Kaspersky follows a year of disclosures over malicious attacks on banks targeting their payments systems. In one, on the central bank of Bangladesh, the attackers came close to executing transfers of $951m, but were thwarted by their own spelling mistakes.