Almost everyday, we’re reminded that malware authors are sharpening their skills and tools in order to try and evade detection. One such example of this is the fileless malware, which resides exclusively in RAM.
Kaspersky Lab experts recently investigated a cyberincident, which involved legitimate pen-testing software called Meterpreter. They found that there were PowerShell scripts and legitimate utilities deployed in the victims bank infrastructure, but they were used for malicious activity – namely, they helped attackers siphon data to the attack server. This toolset also included a piece of software Netsh, which is an operating system component used for remote network parameter configuration. All of the assets used for the attack were modified to function only in fileless mode. They never left a trace on the hard drive. The culprits pursued a clear objective: to lay their hands on admin passwords and financial data.
Kaspersky lab engineers started to look for similar activity and used Kaspersky Security Network to identify it in over 140 enterprise networks located in the USA, France, Ecuador, Kenya, UK and Russia.
We can’t be 100% sure of who is responsible for this attack, but the similarity in techniques and tools used could point to the people behind Carbanak or GCMAN.
When an attack combines legitimate tools with fileless malware, it’s extremely difficult to detect. In general, it’s practically impossible to detect such a threat without involving external experts, unless an organization has an in-house team of seasoned cybersecurity experts specializing in the banking sphere.
To protect themselves from this threat, businesses should:
- Learn about Indicators of Compromise which are described in this article;
- Mitigate malicious activity in the organization’s infrastructure;
- Change all passwords;
- Maintain an appropriately high level of proficiency among in-house security experts.
To ensure a high level of proficiency, we recommend security professionals to visit our Security Analyst Summit conference which will be held on the San Martin island on April 2 – 6, 2017.
This year, two valuable courses will be held at SAS. This first will help experts learn to use the YARA analytics tool. It allows to create efficient rules and then test and improve them to the point where they’re capable of detecting advanced threats. The course is useful for both security beginners and seasoned professionals.
The second course will teach to reverse engineer malware. It’s designed for seasoned researchers who are already experienced in threat analytics. The course will last four days: the first day will be about unpacking malware, the second day will be centered on static analysis of shell code; and for the rest of the course, the participants will practice with samples of malware used in renowned APT attacks.
To learn more about the courses and apply, visit Security Analyst Summit web site.