TMitch Fileless malware: Μια μέρα, τραπεζικοί υπάλληλοι ανακάλυψαν ένα άδειο ΑΤΜ: δεν υπήρχαν χρήματα, ούτε κανένα ίχνος φυσικής αλληλεπίδρασης με το μηχάνημα, ούτε κάποιο κακόβουλο λογισμικό. Αφού οι ειδικοί της Kaspersky Lab πέρασαν αρκετό χρόνο investigationsIn this mysterious case, they were able to not only understand the digital crime tools used in the robbery, but also reproduce the attack themselves, discovering a breach in the bank's security system. 
In February of 2017, Kaspersky Lab published the results of one research on mysterious fileless attacks on banks: criminals used malware that attacks memory to "infect" banking networks. But why do that?
The "ATMitch" case gave us the overall picture.
Η research started after the bank's forensic experts recovered and shared with Kaspersky Lab two files that contained malware log files from the ATM hard drive (kl.txt and LogFile.txt). These were the only files left after the attack: it was not possible to recover the malicious executable files because the digital criminals had removed the malware after the robbery. But even this small amount of data was enough for Kaspersky Lab to conduct a successful research.
Erase / rewind
Within the logs, her experts Kaspersky Lab ήταν σε θέση να προσδιορίσουν τα κομμάτια των πληροφοριών σε μορφή απλού κειμένου, δυνατότητα η οποία τους βοήθησε να δημιουργήσουν έναν κανόνα YARA για τη δημόσια αποθήκευση κακόβουλου λογισμικού και να βρουν ένα δείγμα. Οι κανόνες YARA – βασικές στοιχειοσειρές αναζήτησης - βοηθούν τους αναλυτές να βρίσκουν, να ομαδοποιούν και να κατηγοριοποιούν τα σχετικά δείγματα κακόβουλου λογισμικού και να δημιουργούν συνδέσεις μεταξύ τους με βάση τα πρότυπα της ύποπτης δραστηριότητας σε συστήματα ή δίκτυα που έχουν ομοιότητες.
Έπειτα από μια μέρα αναμονής, οι ειδικοί βρήκαν ένα επιθυμητό δείγμα κακόβουλου λογισμικού - «tv.dll», ή «ATMitch», όπως ονομάστηκε αργότερα. Αυτό εντοπίστηκε ελεύθερο δύο φορές: μία στο Καζακστάν και μία στη Ρωσία.
This malware was installed and executed remotely on an ATM through the target bank: through the remote management of the ATM machines. Once installed and connected to the ATM, the ATMitch malware communicates with the ATM as it is legitimate software. This enables attackers to execute a list of commands, such as collection information about the number of banknotes in ATM cassettes. In addition, it gives criminals the ability to distribute the money at any time, with the click of a button.
Usually, criminals start by getting information about the amount of money a machine has. After that, a criminal may send a mandate to distribute any number of banknotes from any cassette. After withdrawing money in this odd way, criminals need only to grab money and leave. An ATM robbery like this takes only a few seconds!
Once the ATM robbery has taken place, the malware deletes its traces.
Who is behind the attacks?
It is not yet known who is behind the attacks. The use of an open exploit code, common Windows utilities, and unknown regions during its early stage of operation, make it almost impossible to identify the person responsible for the group. However, "tv.dll", used in the ATM stage of the attack contains Russian-language source, and known groups that could fit this profile are GCMAN and Carbanak.
"Attackers may still be active. But do not panic! Combating this type of attack requires a specific set of skills from the security specialist that protected the target body. Successful violation and deployment of data from a network can only take place through common and legitimate tools. After the attack, criminals can clear all the data that could lead to their detection without leaving any trace. To address these issues, forensic data arising from memory is critical to analyzing malware and its operations. And as our case proves, a carefully directed incident can help resolve even the most "perfect" digital crime, said Sergey Golovanov, Principal Security Researcher of Kaspersky Lab.
Technical details and compromise indicators are also provided to service customers Kaspersky Intelligence Services.
