Invisible malware targets financial information
Researchers at Kaspersky Lab have uncovered a series of targeted attacks that use legitimate software to avoid detection.
The attacks employ widely available penetration-testing and administration tools as well as the PowerShell framework for task automation in Windows. They drop no malware files onto the hard drive, but hide in the memory.
This combined approach helps to avoid being detected by whitelisting technologies, and leaves forensic investigators with almost no artifacts or malware samples to work with. The attackers stay around just long enough to gather information before their traces are wiped from the system on the first reboot.
The invisible attacks have hit more than 140 enterprise networks in a range of business sectors, with most victims located in the USA, France, Ecuador, Kenya, the UK and Russia. In total, infections have been registered in 40 countries. The goal of the attacks is to access financial process within a victim's system.
"The determination of attackers to hide their activity and make detection and incident response increasingly difficult explains the latest trend of anti-forensic techniques and memory-based malware," says Sergey Golovanov, principal security researcher at Kaspersky Lab. "That is why memory forensics is becoming critical to the analysis of malware and its functions. In these particular incidents, the attackers used every conceivable anti-forensic technique; demonstrating how no malware files are needed for the successful exfiltration of data from a network, and how the use of legitimate and open source utilities makes attribution almost impossible."
Who is behind the attacks is unknown. The use of open source exploit code, common Windows utilities and unknown domains makes it almost impossible to determine the group responsible -- or even whether it is a single group.
The attackers are still active and detection of the threat is only possible in RAM, the registry and the network. More details of the attack and how to detect it can be found on the Kaspersky blog.