Fileless Windows malware is infecting enterprise systems in 40 or more countries, with more than 140 institutions having been hit, according to the anti-virus company Kaspersky.
The malware has not been given a name yet, but Kaspersky says it is similar to Duqu 2.0 that attacked its own network and stayed undetected for more than six months.
It said an unnamed bank found the malware in late 2016 after it detected Meterpreter code in the physical memory of one of its Windows domain controllers. Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime.
Participating in the analysis of the malware, Kasperksy says it found the use of PowerShell scripts within the Windows registry. Additionally, the Windows NETSH utility was used to tunnel traffic from the host to the attacker's command and control centre. Another standard Windows utility, SC, was also used.
Since SC and NETSH can only be used by administrators on a Windows system, the malware used credentials from accounts which have administrative privileges. These were obtained using the post-exploitation tool
Mimikatz, which is part of the
Metasploit framework.
Graphic courtesy Kaspersky.
Kaspersky then used its own security network to check on the prevalence of the malware and claimed that more than 100 business networks were infected with PowerShell scripts in the registry.
"During our analysis of the affected bank we learned that the attackers had used several third level domains and domains in the .GA, .ML, .CF ccTLDs. The trick of using such domains is that they are free and missing WHOIS information after domain expiration," the company said.
Since the attackers were using the Metasploit framework, standard Windows utilities and domains that had no WHOIS information, Kaspersky said it was not possible to ascertain who was behind the attacks.
Kaspersky's description includes ways to spot if a system if infected.
INTRODUCING ITWIRE TV
iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.
We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.
In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.
We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.
See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.
SEE WHAT'S ON ITWIRE TV NOW!
