Self-Deleting Malware Makes ATMs Spit out Cash

[CrAKeN]

Security researchers have uncovered one of the most sophisticated ATM heists to date, involving a group of cyber criminals specialized in hacking bank networks using fileless malware, and ATM malware that spits out cash and then self-deletes.

 

These ATM heists are the work of a group of hackers that's been active for years. Most recently, starting 2016, this group has switched to using legitimate Windows apps and fileless malware to hack into government agencies and banks in at least 40 countries.

 

Because those attacks used stealthy techniques that left a minimal footprint on infected servers, investigators weren't able to detect what the crooks were after. Nevertheless, they suspected the hackers stole data from infected systems, albeit they didn't know what data.

 

Hackers breached banks to get control of ATM systems

More clues about these attacks came to light only recently. Security researchers from Kaspersky Lab, the ones who identified the initial attacks this February, believe they uncovered the purpose of some of the bank hacks.

 

 

Presenting at the Security Analyst Summit (SAS) held these days in St. Maarten, Kaspersky Lab researchers said crooks broke into the networks of various banks using various exploits, where they used legitimate Windows tools and PowerShell malware to escalate their access to nearby systems.

 

Their target was the system that managed the bank's ATM network. Hackers used this system's remote management feature to connect to the ATMs via RDP.

 

They then transferred and installed a new breed of ATM malware on these machines, which Kaspersky Lab experts called ATMitch.

 

ATMitch malware makes ATMs spit out cash

This malware worked by reading a local command.txt file for instructions. Commands were simple one-letter characters left inside the commands.txt file, such as:

    ‘O’ – Open dispenser
    ‘D’ – Dispense
    ‘I’ – Init XFS
    ‘U’ – Unlock XFS
    ‘S’ – Setup
    ‘E’ – Exit
    ‘G’ – Get Dispenser id
    ‘L’ – Set Dispenser id
    ‘C’ – Cancel

When attackers knew they had partners in front of specific ATMs, they'd upload instructions to the command.txt file and the malware would execute them, spewing out cash. Based on log entries, researchers believe the ATM printed on its screen the words "Catch some money, bitch!"

 

Tracking down robbed ATMs is almost impossible

It is unknown how many ATMs attackers emptied using this technique because the malware would self-delete once the attack would end, cleaning up all its files.

 

It was only by accident that on one ATM the malware left behind a file named "tv.dll." After further digging around, researchers were able to discover how the malware worked and traced it back to banks compromised by the same group they uncovered this past February.

 

Right now, researchers tracked down only two incidents with ATMitch, to a bank in Russia and one in Kazakhstan, but they believe that many more have also taken place.

 

The only problem is that detecting either the hacked bank or the hacked ATM is almost impossible as most of the malicious behavior takes place via self-deleting malware and malicious PowerShell scripts executing in memory, without leaving any artifacts on disk. Once the bank server/computer or the AMT is rebooted, most of the clues are wiped from memory.

 

ATMitch is not the first ATM malware strain that works by forcing ATMs to empty their cash dispensers. Other strains are GreenDispenser, and recent versions of the Alice and Ploutus ATM malware.

 

Source