A recently discovered piece of malware allows attackers to remotely control compromised ATMs (automated teller machines), Kaspersky Lab reveals.
The threat was discovered after a Russian bank was hit by a targeted attack where cybercriminals gained control of ATMs and uploaded malware to them. Although the actors did remove the malware after the heist, which left researchers without an executable to analyze, the malware’s logs and some file names were restored after the attack, which Kaspersky researchers were able to analyze.
The files were recovered by the bank’s forensic team, which provided the security researchers with two text files (located at C:\Windows\Temp\kl.txt and C:\logfile.txt), and the names of two deleted executables (C:\ATM\!A.EXE and C:\ATM\IJ.EXE). However, the contents of the exe files couldn’t be retrieved, Kaspersky notes.
Based on the information retrieved from the log files, the researchers created a YARA rule to find a sample, and eventually found one, in the form of “tv.dll”. This in turn led to the discovery of ATMitch, a piece of malware that essentially provides attackers with the ability to remotely administrate ATMs.
The malware is installed and executed via Remote Desktop Connection (RDP) access to the ATM from within the bank. Once on the infected machine, the threat looks for the “command.txt” file located in the same directory as the malware itself, as this file includes a list of one character commands: ‘O’ – Open dispenser; ‘D’ – Dispense; ‘I’ – Init XFS; ‘U’ – Unlock XFS; ‘S’ – Setup; ‘E’ – Exit; ‘G’ – Get Dispenser id; ‘L’ – Set Dispenser id; and ‘C’ – Cancel.
After that, the malware writes the results of the command to the log file and removes “command.txt” from the ATM’s hard drive. ATMitch, which apparently doesn’t try to conceal within the system, uses the standard XFS library to control the ATM, meaning that it can be used on all ATMs that support the XFS library.
The !A.exe and IJ.exe executables, which might be the installer and uninstaller of the malware, couldn’t be retrieved. “tv.dll”, the researchers say, contained one Russian-language resource.
This attack, Kaspersky notes, was connected to a fileless attack detailed in February 2017, which targeted numerous organizations worldwide. The attack, Morphisec revealed last month, was tied to an attack framework used in a series of other incidents detailed by Cisco and FireEye as well.