Kaspersky Lab experts reconstruct an ATMitch case – and discover a mysterious way to cash out with ATMs
One day bank employees discovered an empty ATM: there was no money, no traces of physical interaction with the machine, and no malware. After Kaspersky Lab experts spent time unwinding this mysterious case, they were able to not only understand the cyber criminal tools used in the robbery, but also reproduce the attack themselves, discovering a security breach at the bank.
In February 2017 Kaspersky Lab published the results of an investigation into mysterious fileless attacks against banks: criminals were using in-memory malware to infect banking networks. But why were they doing this? The ATMitch case has given us the whole picture.
The investigation started after the bank’s forensics specialists recovered and shared two files containing malware logs from the ATM's hard drive (kl.txt and logfile.txt) with Kaspersky Lab. These were the only files left after the attack: it was not possible to recover the malicious executables because after the robbery cybercriminals had wiped the malware. But even this tiny amount of data can be enough for Kaspersky Lab to run a successful investigation.
Erase / rewind
Within the log files, Kaspersky Lab experts were able to identify pieces of information in plain text that helped them to create a YARA rule for public malware repositories and to find a sample. YARA rules — basically search strings — help analysts to find, group, and categorize related malware
samples and draw connections between them based on patterns of suspicious activity on systems or networks that share similarities.
After a day of waiting, experts found a wanted malware sample – "tv.dll", or ‘ATMitch’ as it was later dubbed. It was spotted in the wild twice: once from Kazakhstan, and once from Russia.
This malware is remotely installed and executed on an ATM from within the target bank: through the remote administration of ATM machines. After it’s installed and connected to the ATM, the ATMitch malware communicates with the ATM as if it is legitimate software. It makes it possible for attackers
to conduct a list of commands – such as collecting information about the number of banknotes in the ATM’s cassettes. What’s more; it provides criminals with the ability to dispense money at any time, at the touch of a button.