One or more unidentified hacker groups are leveraging free and commonly available pen testing tools to attack enterprises in the finance, government and telecom sectors with "fileless" malware that resides only in a machine's RAM, making it extremely difficult to detect and analyze.
In a blog post Wednesday, Kaspersky Lab reported that its Global Research & Analysis Team recently examined a series of incidents in which attackers embedded PowerShell into victims' registries as a way to download Meterpreter, a payload of the Metasploit penetration testing framework. From there, the adversaries used numerous legitimate Windows utilities and tools to execute malicious activities, including stealing from infected banks via unauthorized ATM transactions.
Already, more than 140 enterprises worldwide have already been infected in this campaign, including 21 organizations within the U.S.
"This is something new, especially on global scale that we're seeing," said Kurt Baumgartner, principal security researcher at Kaspersky, in an interview with SC Media, "We have seen Meterpreter used before... but we haven't seen this combination that seems to be very effective against multiple organizations."
Unlike the ATM heists, the attacks on the government and telecom companies have no clear financial gain, which suggests that there could be multiple motives or multiple actors behind the malware, Baumgartner noted. For instance, he speculated that attackers could be looking for "sensitive documentation" from government entities.
Kaspersky researchers began investigating the campaign after an unnamed bank's security team found the Meterpreter code in the physical memory of a domain controller (a Microsoft server computer that responds to security authentication requests) late last year.
A forensic analysis determined that the attackers have been using Windows' Service Controller utility to install a malicious service that executes the Meterpreter script on targeted hosts via PowerShell commands. They have also used Microsoft's Netsh networking tool as a tunneling device to secretly communicate data from infected networks to their command-and-control servers, which have been found residing on several third-level domains and obscure country code TLDs missing key WHOIS information.
Kaspersky further reported that the bad actors have used the credential-extracting tool Mimikatz to obtain the administrative privileges needed to operate the SC and Netsh utilities and execute PowerShell scripts.
The attackers' tactics, techniques and procedures most closely resemble those of the GCMAN and Carbanak cybercriminal gang, both of which have been known to adopt strategies more typical of advanced persistent threats, according to Kaspersky. However, "Given that the attackers used the Metasploit framework, standard Windows utilities and unknown domains with no WHOIS information, this makes attribution almost impossible," the blog post reported.
The initial method of infection is known at this time; however, Baumgartner noted that spear phishing attacks and SQL injections are popular techniques among cybercriminal groups such as GCMAN and Carbanak.