TMitch fileless malware: Μια μέρα, τραπεζικοί υπάλληλοι ανακάλυψαν ένα άδειο ΑΤΜ: δεν υπήρχαν χρήματα, ούτε κανένα ίχνος φυσικής αλληλεπίδρασης με το μηχάνημα, ούτε κάποιο κακόβουλο λογισμικό. Αφού οι ειδικοί της Kaspersky Lab πέρασαν αρκετό χρόνο ερευνώντας αυτή τη μυστηριώδη περίπτωση, ήταν σε θέση όχι μόνο να κατανοήσουν τα εργαλεία του ψηφιακού εγκλήματος που χρησιμοποιήθηκαν για τη ληστεία, αλλά και να αναπαραγάγουν την attack themselves, discovering a infringement on system ασφάλειας της τράπεζας.
In February of 2017, Kaspersky Lab published the results of one research on mysterious fileless attacks on banks: criminals used malware that attacks memory to "infect" banking networks. But why do that?
The "ATMitch" case gave us the overall picture.
The investigation began after the bank's forensic experts recovered and shared with Kaspersky Lab two archives which included malware log files from the ATM's hard drive (kl.txt and LogFile.txt). These were the only files left after the attack: the malicious executables could not be recovered because the cybercriminals had deleted the malware after the heist. But even this small amount of data was enough for Kaspersky Lab to conduct a successful investigation.
Erase / rewind
Within files recording, its experts Kaspersky Lab were able to identify snippets of information in plain text, a feature that helped them create a YARA rule for public malware storage and find a sample. YARA rules - basic strings searchs – help analysts find, group, and categorize related malware samples and make connections between them based on patterns of suspicious activity on systems or networks that have similarities.
After a day of waiting, the experts found a desired sample of malware - "tv.dll", or "ATMitch", as it was later named. This was found free twice: once in Kazakhstan and once in Russia.
This malware was installed and executed remotely on an ATM through the target bank: through the remote management of the ATM machines. Once installed and connected to the ATM, the ATMitch malware communicates with the ATM as it is legitimate software. This enables attackers to execute a list of commands, such as collection πληροφοριών σχετικά με τον αριθμό των χαρτονομισμάτων σε κασέτες του ΑΤΜ. Επιπλέον, παρέχει στους εγκληματίες τη δυνατότητα να διανέμουν τα χρήματα ανά πάσα στιγμή, με το πάτημα ενός κουμπιού.
Usually, criminals start by getting information about the amount of money a machine has. After that, a criminal may send a mandate to distribute any number of banknotes from any cassette. After withdrawing money in this odd way, criminals need only to grab money and leave. An ATM robbery like this takes only a few seconds!
Once the ATM robbery has taken place, the malware deletes its traces.
Who is behind the attacks?
It is not yet known who is behind the attacks. Using open exploit code, common Windows utilities, and unknown domains during the first stage of its operation make it almost impossible to identify the team leader. However, "tv.dll", used in the ATM attack stage, contains a Russian-language source, and known groups that could fit into this profile are GCMAN and Carbanak.
«Οι επιτιθέμενοι ενδέχεται να εξακολουθούν να είναι ενεργοί. Αλλά μην πανικοβάλλεστε! Η καταπολέμηση αυτού του είδους των επιθέσεων απαιτεί ένα συγκεκριμένο σύνολο δεξιοτήτων από τον ειδικό security που προφύλασσε τον οργανισμό-στόχο. Η επιτυχής παραβίαση και εκδιήθηση των δεδομένων από ένα network it can only be performed with common and legal tools. After the attack, criminals can clean up all data that could lead to their detection without leaving any traces. To address these issues, forensics derived from memory is critical to analyzing malware and its operations. And as our case proves, a carefully directed incident response can help solve even the most 'perfect' digital crime," said Sergey Golovanov, Principal Security Researcher of Kaspersky Lab.
Technical details and compromise indicators are also provided to service customers Kaspersky Intelligence Services.