Banks under attack from almost-invisible malware

Banks and enterprises around the world are being targeted by hackers in attacks that utilise almost invisible malware, making infections extremely difficult to detect.

Kaspersky Lab researchers have warned that they have found at least 140 banks, telcos, and government organisations across 40 countries with the same type of infection the security firm discovered on its own corporate network two years ago.

The security firm was targeted by a state-sponsored group for months using malware derived from Stuxnet, which it dubbed Duqu 2.0.

At the time Kaspersky said the malware it found on its corporate network was unlike anything it had seen before: it managed to evade discovery for six months by residing solely in the system memory of compromised computers.

The security firm warned a similar infection is spreading fast amongst banks and enterprises globally.

The malware uses legitimate system administrator and security tools like Metasploit, Mimikatz, and PowerShell to inject malware into computer memory, making it almost impossible to detect for long periods of time.

The most common method of attack appears to be the use of Meterpreter, downloaded with the help of PowerShell commands onto the physical memory of a Microsoft domain controller, coupled with the NETSH networking tool to transport data to the attacker's servers.

The attackers utilise the Mimikatz post-exploitation tool to obtain administrative privileges, and hide their PowerShell commands in the Windows registry.

This method of attack was first identified in 2016 at an unnamed bank. 

Kaspersky has been unable to identify who is behind the attacks. It warned that the number of infections is likely much higher than the 140 it identified because the malware is so difficult to spot.

Australia was not listed amongst the 40 countries identified with infected enterprises.

Kaspersky will present further details at the Security Analyst Summit in April.