Security firm finds memory malware on 140 corporate networks

Security firm Kaspersky has discovered so-called fileless malware on the networks of 140 companies, including banks. This form of malicious software resides only in the memory of systems and is therefore difficult to detect.

The malware is used to collect login data from administrators, Kaspersky writes in an analysis. To do this, the malware uses commonly used tools such as Meterpreter, Mimikatz and PowerShell. According to the researchers, the PowerShell scripts were generated on the basis of the Metasploit Framework, which is used, among other things, to use and configure exploits. As a result, no malware files were needed and the traces of an attack were erased after a reboot of the system.

The researchers tracked down the attacks when a bank found Meterpreter code in the memory of a domain controller. They found that a PowerShell script in the Windows registry loaded the Meterpreter payload into the system’s memory. Also, a malicious process was created using the standard Windows component SC. Then another standard component, NETSH, was used to connect to a command and control server. To obtain the necessary administrator rights, the attackers used Mimikatz.

According to Kaspersky, it is nearly impossible to say who is behind the attacks, because they used readily available tools and domains with no whois information. The affected companies are mainly located in the US, France, Ecuador, Kenya and the UK. The company says advanced attacks using memory malware are becoming more common and the discovery shows that a successful attack is possible without malware samples.

Display of the infection process