Hackers targeted at least 8 ATMs in Russia and stole $800,000. And the most interesting about the hack in the CCTV footage the culprit is collecting cash without even touching the machine.
Even the banks could find any malware in their back-end system or any sign of an intrusion.
Kaspersky Labs in February reported that the attacker managed to compromise 140 enterprises, including banks, telecoms, and government organisations, in the US, Europe, UK and other countries with the ‘Fileless malware’.
Sint Maarten, a cybercriminal first used the Fileless malware, memory based malware to attack nearly 150 enterprises worldwide earlier this year.
According to the researchers, the attack carried out using ‘Fileless malware‘ that resides in the memory(RAM) of the infected ATMs, rather than in ATMs hard drive.
The only clue the unnamed bank’s specialists found from the ATM’s hard drive was — two files containing malware logs.
Two researchers, Golovanov and Soumenkov were able to analyse two files containing malware logs, kl.txt and logfile.txt, from an affected ATM’s hard drive and this small clue was enough for the researcher from the Russian firm Kaspersky.
The log files included the two process strings containing the phrases: “Take the Money Bitch!” and “Dispense Success.”
Now the two researchers Sergey Golovanov and Igor Soumenkov in the Kaspersky Security Analyst Summit in St. Maarten on Monday, describing how the attacker used the malware to gain into the bank system and cash out in ThreatPost.
Dubbed ATMitch, the malware gives attacker ability to form SSH tunnel, deploy the malware, and send the cash out the command to the ATM to dispense cash. The malware was remotely installed and executed on the ATMs via its remote administration module.
It was first in the wild in Kazakhstan and Russia.
The attackers were skilled at evading detection, the malware helps them to get access to the bank’s memory affected server after the funds are out, the malware simply deletes itself. Since ATMitch writes the results of the command in the log file and deletes command.txt from the machine hard drive, it is hard to trace.
Since the malware uses the existing legitimate tools on a machine so that no malware gets installed on the system.
This remote access is possible only if the attacker gets into the back-end network of the banks, but it requires more intrusion skills.
Behind The Attack:
The researcher is still unsure who is behind the attack but acknowledged that some of the tactics, techniques, and procedures, used by the groups GCMAN and Carbanak.
First stage – Which was found two months ago, an extensible payload used by the Metasploit on the memory. PowerShell scripts, Microsoft’s command-line scripting utility NETSH, and Mimikatz, a post-exploit utility, were used.
Second stage – “tv.dll,” contains a Russian-language resource, something which shows the profile of the groups as well include GCMAN and Carbanak.
Since the attack is memory based, it gets vanish after the reboot. In some cases, the attacker has used SDelete, a Window Command Line utility that lets attacker delete files and directories to cover their tracks.
Precise Form Of Physical Penetration:
Golovanov and Soumenkov were able to reverse engineer the ATM malware is a riveting one after police arrested a man dressed in as a construction worker, while he was drilling into an ATM int the middle of the day to inject malicious code. The suspect was arrested with a laptop, cables, and a small box.
Golovanov and Soumenkov discovered that the suspect was injecting commands into a long wire that way through ATMs.
The wire, an SDC, or serial distributed control link, connects circuitry between devices like ATMs. The researcher was able to determine the wire was RS485 standard and transferred encrypted 9-bit data.