TMitch Fileless malware: One day, bank employees discovered an empty ATM: no money, no trace of physical interaction with the machine, ούτε κάποιο malware. After spending a lot of time investigating this mysterious case, Kaspersky Lab experts were able not only to understand the tools of the digital crime used for the robbery, but also to reproduce the attack themselves, discovering a breach in the bank's security system. . 
In February of 2017, Kaspersky Lab published the results of one research on mysterious fileless attacks on banks: criminals used malware that attacks memory to "infect" banking networks. But why do that?
The "ATMitch" case gave us the overall picture.
The investigation began after the bank's forensic experts recovered and shared with Kaspersky Lab two files that contained malware log files from the ATM hard drive (kl.txt and LogFile.txt). These were the only files left after the attack: the malicious executable files could not be recovered because the digital criminals had removed the malware after the robbery. But even this small amount of data was enough for Kaspersky Lab to conduct a successful research.
Erase / rewind
Within the logs, her experts Kaspersky Lab were able to identify snippets of information in plain text, a feature that helped them create a YARA rule for public malware storage and find a sample. YARA rules - basic strings searchs – help analysts find, group, and categorize related malware samples and make connections between them based on patterns of suspicious activity on systems or networks that have similarities.
After a day of waiting, the experts found a desired sample of malware - "tv.dll", or "ATMitch", as it was later named. This was found free twice: once in Kazakhstan and once in Russia.
This malicious software was installed and remote from an ATM through the target bank: remote management of ATM machines. After installing and connecting to the ATM, malware ATMitch communicates with the ATM as it is a legitimate software. This allows attackers to execute a list of commands, such as collecting information about the number of ATM cassettes. It also allows criminals to distribute money at any time, at the touch of a button.
Usually, criminals start by getting information about the amount of money a machine has. After that, a criminal may send a mandate to distribute any number of banknotes from any cassette. After withdrawing money in this odd way, criminals need only to grab money and leave. An ATM robbery like this takes only a few seconds!
Once the ATM robbery has taken place, the malware deletes its traces.
Who is behind the attacks?
It is not yet known who is behind the attacks. The use of an open exploit code, κοινών βοηθητικών προγραμμάτων των Windows και άγνωστων περιοχών κατά το πρώτο στάδιο της λειτουργίας του, καθιστούν σχεδόν αδύνατο να προσδιοριστεί ο υπεύθυνος της ομάδας. Ωστόσο, το «tv.dll», που χρησιμοποιείται στο ΑΤΜ στάδιο της επίθεσης περιέχει ρωσόφωνη πηγή, και γνωστές ομάδες που θα μπορούσαν να ταιριάξουν σε αυτό το προφίλ είναι οι GCMAN και Carbanak.
“The attackers may still be active. But don't panic! Combating these types of attacks requires a specific skill set from the security professional who secured the target organization. Successfully hacking and exfiltrating data from a network can only be accomplished with common and legitimate tools. After the attack, criminals can clean up all data that could lead to their detection without leaving any traces. To address these issues, forensics data resulting from memory are critical for analyzing malware and its operations. And as our case proves, a carefully directed incident response can help solve even the most 'perfect' digital crime," said Sergey Golovanov, Principal Security Researcher of Kaspersky Lab.
Technical details and compromise indicators are also provided to service customers Kaspersky Intelligence Services.
