The
specialists of "Kaspersky Lab" talked about the new
technique that criminals use to steal money from ATMs.
They explained such cases in which physical damage or
infection by Malware in ATMs cannot be found. The ATM is
forced to vend money to criminals and their accomplices.
We can assume that the attackers could compromise the
corporate network, but sign of a break-in could not be
found.The hackers had carefully cover their tracks .
At the
Security Analyst Summit conference experts said that in
2016 two Russian banks has suffered from such attacks,
one night Banks lost about $ 800,000 because criminals
emptied their ATMs. During the attack hackers were able
to gain control over ATMs and downloaded the Malware.The
malicious program was removed after withdrawing the
money. Forensics from one of the affected banks were not
able to recover malware executables because of
fragmentation of hard drive after attack. But they have
been able to get logs of Malware and find the names of
some files.
So,
the researchers found on the hard drive of affected ATM
two files: C:\Windows\Temp\kl.txt and C:\logfile.txt.
And they gotten to know the names of the executables:
C:\ATM\!A.EXE and C:\ATM\!J.EXE.
Following
fragment in a text format were discovered in the logs.
Researchers could not find more information:
[Date
— Time]
[%d %m
%Y %H : %M : %S] > Entering process dispense.
[%d %m
%Y %H : %M : %S] > Items from parameters successfully
converted. 4 40
[%d %m
%Y %H : %M : %S] > Unlocking dispenser, result is 0
[%d %m
%Y %H : %M : %S] > Catch some money, bitch! 4000000
[%d %m
%Y %H : %M : %S] > Dispense success code is 0
Analysts
of "Kaspersky Lab" was able to analyze with this
information.An YARA rule to search for Malware was
created on basis of data from log. Apparently, sample of
Malware has been uploaded to Virus Total under the name
tv.dll twice (from Kazakhstan and Russia). Malware was
codenamed ATMitch, and investigation continued.
The
Study of Malware showed that ATM computer opens a Remote
Desktop Connection to the attacker after the
installation ATMitch inside the ATM. Then the Malware
looks for the file command.txt. This file should in some
folder with Malware. If the file is found, ATMitch reads
its contents, consisting of single symbol and performs
necessary command:
O’ -
to open the dispenser
‘D’ -
to give money
‘I’ -
to initialize XFS library
‘U’ -
to unlock XFS
‘S’ -
to setup
‘E’ -
to exit
‘G’ -
to get ID of dispenser
‘L’ -
to set ID of dispenser
‘C’ -
to cancel
After
executing of the command ATMitch writes results to log
and deletes from the hard drive of ATM the file
command.txt. Then attackers need to only come to ATM,
withdraw money and disappear.
The
researchers write that standard XFS library is used to
control ATM. So, Malware works on any ATM that supports
XFS library. The overwhelming majority are ATM's support
the XFS library.
"The
group is probably still active. But that is no reason to
panic. In order to fight back such cyber attacks,
information security specialist of victim organization
must have special knowledge and skills. First of all, we
must remember that attackers used usual legitimate
tools, and after the attack they carefully remove all
traces of their presence in the system. Therefore, for
solving problems we need to pay special attention to the
study of memory (brain of ATM), in which ATMitch is
hiding", – said Sergey Golovanov, leading anti-virus
expert in "Kaspersky Lab".