Kaspersky researchers discovered a new piece of ATM malware, tracked as ATMDtrack, that was developed and used by North Korea-linked hackers.
Threat actors deployed the malware on ATM systems to steal payment card details of the back customers.
“In the late summer of 2018, we discovered ATMDtrack, a piece of banking malware targeting Indian banks. Further analysis showed that the malware was designed to be planted on the victim’s ATMs, where it could read and store the
According to Kaspersky, the most recent attacks involving the malware were observed at the beginning of September 2019.
Below a list of some functionalities supported by the Dtrack payload
The experts were able to analyze only dropped samples, as the real payload was encrypted with various droppers. The samples were detected because of the unique sequences shared by ATMDtrack and the
“At this point, the design philosophy of the framework becomes a bit unclear. Some of the
“Aside from the aforementioned
Once decrypted the final payload, Kaspersky researchers noticed similarities with the Dark Seoul campaign uncovered in 2013 and attributed to the Lazarus APT group. The attackers reused part of their old code in the recent attacks on the financial sector and research centers in India.
“The most obvious function they have in common is the string manipulation function. It checks if there is a CCS_ substring at the beginning of the parameter string, cuts it out and returns a modified one. Otherwise, it uses the first byte as an XOR argument and returns a decrypted string.” states the analysis.
The discovery of the ATMDTrack malware confirms the intense activity of the Lazarus APT group.
The state-sponsored group continues to develop malware that was used
“We first saw early samples of this malware family in 2013, when it hit Seoul. Now, six years later, we see them in India, attacking financial institutions and research centers.” concludes Kaspersky. “And once again, we see that this group uses similar tools to perform both financially-motivated and pure espionage attacks.”
Technical details, including IoCs, are reported in the analysis published by Kaspersky.
(SecurityAffairs – APT, hacking)