ATMitch – Crooks stole $800,000 from 8 ATMs in Russia using Fileless Malware

Pierluigi Paganini April 09, 2017

According to Kaspersky Lab, crooks have robbed at least 8 ATMs in Russia and stole $800,000 in just one night using a Fileless malware dubbed ATMitch.

According to experts at Kaspersky, hackers have robbed at least 8 ATMs in Russia and stole $800,000 in just one night.

The cyber heist caught the attention of security experts that analyzing the CCTV footage have noticed a man walking up to the ATM and collecting cash apparently without interacting with the machine.

Security teams at the affected banks haven’t found any evidence of the presence of a malware or any sign of an intrusion. Just one of the targeted banks reported having discovered two files containing malware logs on the ATM.

The experts have discovered the following strings in the log files:

  • “Take the Money Bitch!”
  • “Dispense Success.”

In February, malware at Kaspersky Labs reported that crooks hit over 140 enterprises, including banks, telecoms, and government organizations in 40 countries. The cybercriminals leveraged a ‘Fileless malware.’

fileless malware

Malicious code is directly injected into the memory of the infected machine and the malware executes in the system’s RAM.

“A good example of the implementation of such techniques is Duqu2. After dropping on the hard drive and starting its malicious MSI package it removes the package from the hard drive with file renaming and leaves part of itself in the memory with a payload. That’s why memory forensics is critical to the analysis of malware and its functions. Another important part of an attack are the tunnels that are going to be installed in the network by attackers.” reads the analysis published by Kaspersky.

The attack was first spotted by a bank’s security team that discovered a copy of the Meterpreter code, an in-memory component of the Metasploit framework, in a physical memory of a Microsoft domain controller (DC).

The experts at Kaspersky Lab tracked the threats as MEM:Trojan.Win32.Cometer and MEM:Trojan.Win32.Metasploit. The malware leverage PowerShell scripts within the Windows registry to load the Meterpreter code directly into memory, similar techniques leveraging on the PowerShell were already adopted by other malware in the wild.
Malware researchers believe that hackers that targeted the banks carried out the attacks with a Fileless malware.

During the recent Kaspersky Security Analyst Summit held in St. Maarten, security researchers Sergey Golovanov and Igor Soumenkov provided further details about their investigation on the ATM hacks against two Russian banks.

Experts have tracked the malware as ATMitch, it was first spotted in Russia and Kazakhstan, the malicious code is remotely installed and executed on ATMs via its remote administration module.

“The malware, which we have dubbed ATMitch, is fairly straightforward. Once remotely installed and executed via Remote Desktop Connection (RDP) access to the ATM from within the bank, the malware looks for the “command.txt” file that should be located in the same directory as the malware and created by the attacker.” reads the analysis from Kaspersky.

fileless malware ATMitch

The attackers connect the ATM via SSH tunnel, install the malicious code and use it to instruct the ATM to dispense cash.

Since Fileless malware leverages the existing legitimate tools on a machine to remotely send the command to dispense the money, an operation that is very quick, just a few seconds are enough to empty the ATM without leaving traces.

“The malware uses the standard XFS library to control the ATM. It should be noted that it works on every ATM that supports the XFS library (which is the vast majority).” states Kaspersky.

The experts highlighted that attackers used a sophisticated method to compromise the bank network an access to the ATM’s back-end panel.

To avoid triggering the alarm, attackers physically accessed the ATM by drilling a golf-ball sized hole in the front panel. The hole allows the attackers to access to the cash dispenser panel using a serial distributed control wire (SDC RS485 standard).

Kaspersky experts explained that the technique was discovered after the police arrested a man dressed as a construction worker while he was drilling into an ATM.

Malware researchers warn ATM manufacturer and banks that crooks across Russia and Europe have already used the ATM drill attack for cyber heists.

Researchers did not identify a specific criminal gang behind these ATM hacks, anyway, they noticed that the source code used in the attacks contains references to the Russian language.

Kaspersky has discovered many similarities with techniques used by the have discovered many similarities with techniques used by the Carbanak and GCMAN cyber gangs.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Fileless malware, banks)



you might also like

leave a comment