A sophisticated, difficult-to-detect piece of malware has wormed its way onto the systems of more than 140 banks, government agencies, and enterprise organizations. The malware, Kaspersky Labs reports, was used to gather the passwords of system administrators and to remotely control infected host machines. For banks with automatic teller machines, it’s also being used to push money out of those locations.
Researchers have encountered this sort of “invisible” malware before. Kaspersky Labs referenced Duqu2, which has been described as a derivative of the Stuxnet worm, a powerful, widespread malware virus that typically targeted the control systems for dams, power plants, and other large-scale industrial operations. (Stuxnet was famously used to seriously damage Iran’s nuclear program.)
Kaspersky Labs first discovered Duqu2’s malware on its own corporate network a few years ago; it had survived undetected for more than six months before being discovered. As opposed to traditional malware, this new brand of malware is fileless, existing exclusively in the memory of infected systems. That’s what makes it so hard to detect.
A bank’s security team alerted Kaspersky in late 2016 to a new threat they discovered, one that’s like Duqu2 but uses Windows utilities to implement the “memory-based malware and tunnelling.” After further digging, security researchers have been able to pinpoint it on other systems around the globe. Kaspersky found that more than 140 organizations in 40 countries are affected by this type of malware.
At the moment, it’s unclear who is behind the attacks and exactly how widespread it is. Kaspersky is not publicly revealing the names of organizations that have been compromised.
For details on how this exploit operates (and, for system administrators, signs that your own company’s system could be infected), you can get further details on the Kaspersky Labs blog here.
Correction: While Kaspersky likened the implementation of the malware to Duqu2, the company did not give a specific name to the fileless malware it discovered. We’ve updated this article for context and clarity.