Tuesday, October 15, 2024
HomeMalwareA Fileless Malware Called "ATMitch" Attack The ATM machines Remotely...

A Fileless Malware Called “ATMitch” Attack The ATM machines Remotely and Delete The Attack Evidence

Published on

Malware protection

[jpshare]

A  Fileless malware “ATMitch”  Access the ATM Remotely that gave them the ability to dispense money, “at any time, at the touch of a button.” Discovered by the Researchers from Kaspersky Lab.

Attackers introduced the malware on ATMs by means of the machine’s remote administration modules, something which gave them the capacity to execute commands, for example, arranging the quantity of bills inside a machine or dispensing cash.

- Advertisement - SIEM as a Service

This Malware Playing some interesting role once it’s entered into the ATM. During the Attack, the criminals were able to gain control of the ATMs and upload Malware to them.

According to Researchers from Kaspersky Lab ,After cashing out, the Malware was removed. The bank’s forensics specialists were unable to recover the malicious executables because of the fragmentation of a hard drive after the attack, but they were able to restore the Malware’s logs and some file names.

Bank’s forensic team analyzed the ATM. Hard disk care bank’s forensic team full and found some interesting files and Deleted Executable.

Researchers from Kaspersky Lab, Released the Executable file and other data’s which has been deleted once malware completed the action.

  • C:\Windows\Temp\kl.txt
  • C:\logfile.txt
  • C:\ATM\!A.EXE
  • C:\ATM\IJ.EXE

Golovanov and Soumenkov analyzed two files containing malware logs, kl.txt, and logfile.txt, from an affected ATM’s hard drive. Forensics specialists at one of the banks that was hit by the malware shared the files.

Source: Kaspersky Lab

They created a YARA rule for publicly available Malware repositories, which yielded a sample.YARA, a pattern-matching tool, is used by malware researchers to help identify and classify malware samples.

According to the Researchers, once installed and executed via Remote Desktop Connection the malware looks for a file, command.txt.From there it reads characters inside the file which link back to different commands and executes them depending on the attackers’ needs. 

If found, the malware reads the one character content from the file and executes the respective command:

  • ‘O’ – Open dispenser
  • ‘D’ – Dispense
  • ‘I’ – Init XFS
  • ‘U’ – Unlock XFS
  • ‘S’ – Setup
  • ‘E’ – Exit
  • ‘G’ – Get Dispenser id
  • ‘L’ – Set Dispenser id
  • ‘C’ – Cancel
After execution, “ATMitch” writes the results of this command to the log file and removes “command.txt” from the ATM’s hard drive.

Researchers can’t find who is behind of this attack and The malware used during the second stage of the attack, “tv.dll,” contains a Russian-language resource, something which fits the profile of the groups as well.

 Also Read:

 
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

ErrorFather Hackers Attacking & Control Android Device Remotely

The Cerberus Android banking trojan, which gained notoriety in 2019 for its ability to...

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

CoreWarrior Malware Attacking Windows Machines From Dozens Of IP Address

Researchers recently analyzed a CoreWarrior malware sample, which spreads aggressively by creating numerous copies...

TrickMo Malware Targets Android Devices to Steal Unlock Patterns and PINs

The recent discovery of the TrickMo Banking Trojan variant by Cleafy has prompted further...