Research has revealed that banks, telecommunication companies and government organisations in Africa, the US, South America and Europe are among the top targets, with the GCMAN and Carbanak groups being the primary suspects.
Kaspersky Lab experts have discovered a series of “invisible” targeted attacks that use only legitimate software: widely available penetration-testing and administration tools as well as the PowerShell framework for task automation in Windows – dropping no malware files onto the hard drive, but hiding in the memory. This combined approach helps to avoid detection by whitelisting technologies, and leaves forensic investigators with almost no artefacts or malware samples to work with. The attackers stay around just long enough to gather information before their traces are wiped from the system on the first reboot.
At the end of 2016, Kaspersky Lab experts were contacted by banks in CIS which had found the penetration-testing software, Meterpreter, now often used for malicious purposes, in the memory of their servers when it was not supposed to be there. Kaspersky Lab discovered that the Meterpreter code was combined with a number of legitimate PowerShell scripts and other utilities.
The combined tools had been adapted into malicious code that could hide in the memory, invisibly collecting the passwords of system administrators so that the attackers could remotely control the victim’s systems. The ultimate goal appears to have been access to financial processes.
Kaspersky Lab has since uncovered that these attacks are happening on a massive scale: hitting more than 140 enterprise networks in a range of business sectors, with most victims located in the USA, France, Ecuador, Kenya, the UK and Russia.
In total, infections have been registered in 40 countries. It is not known who is behind the attacks. The use of open source exploit code, common Windows utilities and unknown domains makes it almost impossible to determine the group responsible – or even whether it is a single group or several groups sharing the same tools. Known groups that have the most similar approaches are GCMAN and Carbanak.
Such tools also make it harder to uncover the details of an attack. The normal process during incident response is for an investigator to follow the traces and samples left in the network by the attackers. And while data in a hard drive can remain available for a year after an event, artefacts hiding in the memory will be wiped on the first reboot of the computer. Fortunately, on this occasion, the experts got to them in time.
“The determination of attackers to hide their activity and make detection and incident response increasingly difficult explains the latest trend of anti-forensic techniques and memory-based malware. That is why memory forensics is becoming critical to the analysis of malware and its functions. In these particular incidents, the attackers used every conceivable anti-forensic technique; demonstrating how no malware files are needed for the successful exfiltration of data from a network, and how the use of legitimate and open source utilities makes attribution almost impossible,” said Sergey Golovanov, Principal Security Researcher at Kaspersky Lab.
The attackers are still active, so it is important to note that detection of such an attack is possible only in RAM, the network and registry – and that, in such instances, the use of Yara rules based on a scan of malicious files are of no use.
Details of the second part of the operation, showing how the attackers implemented unique tactics to withdraw money through ATMs will be presented by Sergey Golovanov and Igor Soumenkov at the Security Analyst Summit, to be held from 2 to 6 April, 2017.
Kaspersky Lab products successfully detect operations using the above tactics, techniques and procedures. Further information on this story and Yara rules for forensic analysis can be found in the blog on Securelist.com.
Technical details, including Indicators of Compromise were also provided to customers of Kaspersky Intelligence Services.
Combatting attacks by groups like GCMAN or Carbanak requires a specific set of skills from the security specialist guarding the targeted organisation. During the Security Analysis Summit 2017, Kaspersky Lab’s top-notch specialists will be running exclusive security training sessions designed to help specialists detect sophisticated targeted attacks. Apply for training on “Hunting targeted attacks with Yara rules” here. Apply for training on Malware reverse engineering here.
Naspers feeds into Latin America’s tech funding
Movile will get $400m funding from the SA-based technology investment giant for iFood expansion.
Movile is to receive US$500-million in funding for iFood in the largest tech funding in Latin America to date. Naspers and Innova Capital have committed to invest $400m of new capital into Movile to use for further investment in iFood, the leading online food delivery platform in Latin America, of which Movile is a majority shareholder.
Movile and Just Eat have already invested $100m in iFood during 2018. iFood’s extraordinary growth and the vast market opportunity in Brazil and more broadly in Latin America has driven the increased investment commitment.
iFood’s monthly orders in Brazil have fed more than 9 million customers in the past twelve months, 16 times the nearest online competitor, in terms of daily active users. This means its partner restaurants are serving the biggest population of consumers ordering food in Latin America. iFood has 50 000 restaurant partners and uses 120 000 couriers.
The increased investment commitment from Naspers, Innova and Movile is expected to accelerate growth, speed up product development and innovation, and fuel geographical expansion for iFood across the region. The company’s vision is to gain deeper knowledge of consumers through artificial intelligence technology, to personalise the food delivery experience – and at a reduced price, because of improved logistics.
“Movile is very fortunate to have long-term investors who have supported us for the past decade to help achieve our goal of transforming the lives of more than one billion people and thus we are able to continually back iFood to ensure it remains the market leader,” said Fabricio Bloisi, Movile CEO.
“Our entire ecosystem of companies is focused on allocating resources and energy towards our one billion people goal. iFood is leading the way, fueling unprecedented growth through its innovative technology platform, providing consumers, couriers and restaurants with the best experience in food ordering and delivery.”
Larry Illg, CEO of Naspers Ventures, said: “iFood has established itself as a technology leader in Latin America and its success stacks up with some of the most innovative food companies that are leading regions in North America, Europe and Asia. We have been impressed by their execution in Brazil and remain committed to backing the company on its path to transform the entire food chain to better serve consumers.”
Online food delivery is experiencing massive expansion globally. According to latest reported results, Grubhub grew daily average orders 39% year-on-year, reaching over 416 000 orders per day. In Latin America, iFood has reached 390 000 orders per day just in Brazil in the last week of October, compared with 183 000 in October 2017, representing 109% growth.
iFood CEO Carlos Moyses said: “We want our consumers to have an amazing delivery experience from the moment they order their food to the moment it arrives. Our partners – the restaurants and delivery fleet – make that happen by living our purpose of improving people’s lives using our services.
“iFood exists for our customers and, with an increased investment commitment of this size, we will be able to build out our state of the art technology platform, and increase our courier and restaurant partners to even better serve our current and future customers in Latin America.”
Hide your sheep, Spyro is reigniting
Spyro, the iconic purple dragon that entertained living rooms worldwide in the late ‘90s, is making a return with the release of Spyro Reignited Trilogy.
Spyro Reignited Trilogy introduces players to a fully remastered game collection with a re-imagined cast of characters, animations, environments, new lighting and recreated cinematics—all inHD. Now fans can explore more than 100 lush environments filled with new detail, that brings the Dragon Realms and Avalar to life . The trilogy is available for PlayStation 4, PlayStation 4 Pro and the family of Xbox One devices from Microsoft, including the Xbox One X.
South African distributors Megarom provided the followjng information:
In Spyro Reignited Trilogy, lead developer Toys For Bob is giving fans an all scaled-up version of the original three Spyro games that started it all, Spyro the Dragon, Spyro 2: Ripto’s Rage! and Spyro: Year of the Dragon, but with a modern-day feel that makes it fresh and fun for today’s player. Adding to the fun, voice actor Tom Kenny is returning to the franchise as the voice of Spyro in all three remastered games. Longtime fans will be treated to Toys For Bob’s reimagined version of the classic soundtracks, in addition to an all-new title-screen theme from original soundtrack composer Stewart Copeland.
Additionally, the new game brings an in-game audio feature that allows players to switch between the original and the newly remastered soundtracks, for those who want a more classic gameplay experience. Players can simply fly in to the “options menu” at any time during gameplay, unleash their preferred nostalgic or scaled-up groove, and glide right back into the Spyro action without losing saved data.
“It’s been a real pleasure to bring back one of most iconic video game characters of all time through the Spyro Reignited Trilogy,” said Paul Yan, Co-Studio Head at Toys For Bob. “We’ve poured everything we’ve got into making sure every detail was done right to deliver a great Spyro experience for fans. We hope players will have as much fun revisiting the Spyro world and characters as we did remastering them.”
In the road up to the official release of Spyro Reignited Trilogy, Activision Publishing, Inc., a wholly owned subsidiary of Activision Blizzard, created a first-of-its-kind, life-sized, fire-breathing and talking Spyro Dragon drone. The drone took off from “Stone Hill” castle near New York City, spreading his wings across the U.S. to explore the cities and iconic landscapes that resemble levels and themes from the original Spyro games. As part of the tour, the Spyro drone chased sheep, fired up some BBQ and delivered an early copy of Spyro Reignited Trilogy to fellow O.G. and entertainment icon, Snoop Dogg. Highlights from the Spyro drone’s delivery to Snoop Dogg can be found here.
“Fans have been asking Activision to bring Spyro back for some time now. The response to Spyro Reignited Trilogy has been great thus far, and we’re absolutely thrilled that we’re able to continue to reimagine and reinvigorate some of the most iconic videogames and characters of all time with our remastered experiences,” said Steve Young, Chief Revenue Officer at Activision. “With this year being the 20th anniversary of Spyro, there’s no better time to pay homage to everyone’s favorite purple dragon.”
The Spyro community is invited to geek out and elevate their fandom even further through the elite global partnerships from the Activision Blizzard Consumer Products Group (ABCPG). Collaborations with Funko, Traly Pins, Exquisite Gaming, KidRobot, USAopoly, Trends International, Rubber Road, and Changes have created new avenues for fans to share their love for the return of Spyro, the original roast master. Spyro consumer products across apparel, collectibles, figurines and more are now available at retailers worldwide. Fans can also take advantage of the GameStop exclusive Spyro TOTAKU Collection.