TMitch: Fileless malware attacks remotely at ATM

TMitch Fileless malware: One day, bank employees discovered an empty ATM: there were none , nor any trace of physical interaction with the machine, nor any malware. Since its experts they spent a lot of time τας αυτή τη μυστηριώδη περίπτωση, ήταν σε θέση όχι μόνο να κατανοήσουν τα εργαλεία του ψηφιακού εγκλήματος που χρησιμοποιήθηκαν για τη ληστεία, αλλά και να αναπαραγάγουν την επίθεση οι ίδιοι, ανακαλύπτοντας μια παραβίαση στο of the bank. TMitch

In February 2017, Kaspersky Lab published the one research about mysterious fileless against banks: criminals used memory-attacking malware to "infect" banking networks. But why would they do that?

The "ATMitch" case gave us the overall picture.

The investigation began after the bank's forensic experts recovered and shared it with Kaspersky Lab files that included malware logs from the ATM's hard drive (kl.txt and LogFile.txt). These were the only files left after the attack: the malicious executables could not be recovered because the cybercriminals had deleted the malware after the heist. But even this small number became enough for Kaspersky Lab to conduct a successful investigation.

Erase / rewind

Within the logs, her experts Kaspersky Lab were able to identify snippets of information in plain text, a feature that helped them create a YARA rule for publicly storing malware and find a sample. YARA rules - basic search strings - help analysts find, group, and categorize related malware samples and link to them based on suspicious activity patterns in similar systems or networks.

After a day of waiting, experts found a desirable malware sample – 'tv.dll', or 'ATMitch', as it was later named. This was spotted free twice: once in Kazakhstan and once in .

This malicious software was installed and remote from an ATM through the target bank: remote management of ATM machines. After installing and connecting to the ATM, malware ATMitch communicates with the ATM as it is a legitimate software. This allows attackers to execute a list of commands, such as collecting information about the number of ATM cassettes. It also allows criminals to distribute money at any time, at the touch of a button.

Usually, criminals start by getting information about the amount of money a machine has. After that, a criminal may send a mandate to distribute any number of banknotes from any cassette. After withdrawing money in this odd way, criminals need only to grab money and leave. An ATM robbery like this takes only a few seconds!

Once the ATM robbery has taken place, the malware deletes its traces.

Who is behind the attacks?

It is not yet known who is behind the attacks. Using open exploit code, common Windows utilities, and unknown domains during the first stage of its operation make it almost impossible to identify the team leader. However, "tv.dll", used in the ATM attack stage, contains a Russian-language source, and known groups that could fit into this profile are GCMAN and Carbanak.

“The attackers may still be active. But don't panic! Combating these types of attacks requires a specific skill set from the security professional who secured the target organization. Successfully hacking and exfiltrating data from a network can only be accomplished with common and legitimate tools. After the attack, criminals can clean up all data that could lead to their detection without leaving any traces. To address these issues, forensic evidence derived from memory is critical to malware and its functions. And as our case shows, a carefully crafted case study can help solve even the most "perfect" digital crime, δήλωσε ο Sergey Golovanov, Principal Researcher of Kaspersky Lab.

Technical details and compromise indicators are also provided to service customers Kaspersky Intelligence Services.

iGuRu.gr The Best Technology Site in Greeceggns

Get the best viral stories straight into your inbox!















Written by Dimitris

Dimitris hates on Mondays .....

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).