This 'invisible' memory-based malware is infiltrating organisations across the globe

Cybercriminals are using legitimate software to collect enterprise passwords and other credentials.
Written by Danny Palmer, Senior Writer

A new attack method leaves almost no trace of the perpertrator.

Image: iStock

Cybercriminals are launching 'invisible' attacks to infiltrate the networks of organisations to steal login credentials and financial data -- and the only tool they're using is legitimate software.
It's thought that over 140 organisations including banks, telecommunications companies, and government organisations across the globe have fallen victim to these hidden malware attacks.

Discovered by cybersecurity researchers at Kaspersky Lab, the attacks use widely-available tools, including penetration-testing and administration software as well as the PowerShell framework for task automation in Windows, to hide malware in victims' computer memory, instead of the more traditional tactic of dropping it onto the hard drive.

This form of attack leaves investigators with almost no evidence that an attack took place, and any indication of an incident is removed when the system is rebooted.

The discovery came after Kaspersky Lab was contacted by banks which had found Meterpreter penetration-testing software in the memory of their servers when it wasn't supposed to be in that location.

Meterpreter had its code combined with legitimate PowerShell scripts and other utilities, with the aim of stealing administrator passwords and remotely controlling machines and systems. All of these factors indicate the attackers are attempting to make off with credentials about financial processes.

This 'invisible' method of attack makes it difficult to uncover details about incidents because a lack of traces of hacker activity mean the normal processes of incident response don't apply.

It's not known who specifically is behind the attacks, and the use of open source exploits, Windows utilities, and unknown domains make it difficult to identify the exact group, or groups, responsible. However, researchers note that cybercriminal groups such as the Carbanak gang and the GCMAN group use similar approaches.

The group behind the attacks is still active and has so far successfully attacked organisations in 40 countries. It's the US which has found itself most targeted by the invisible malware so far, with 21 organisations falling victim to this sort of attack there. Other prominent targets include businesses in France, Ecuador, Kenya, the UK, and Russia.

What makes this type of attack particularly dangerous to organisations is that any evidence of it occurring is so well hidden.

"The determination of attackers to hide their activity and make detection and incident response increasingly difficult explains the latest trend of anti-forensic techniques and memory-based malware. That is why memory forensics is becoming critical to the analysis of malware and its functions," said Sergey Golovanov, principal security researcher at Kaspersky Lab.

"In these particular incidents, the attackers used every conceivable anti-forensic technique; demonstrating how no malware files are needed for the successful exfiltration of data from a network, and how the use of legitimate and open source utilities makes attribution almost impossible".

Read more on cybercrime

Editorial standards