ATMitch – Crooks stole $800,000 from 8 ATMs in Russia using Fileless Malware

According to Kaspersky Lab, crooks have robbed at least 8 ATMs in Russia and stole $800,000 in just one night using a Fileless malware dubbed ATMitch.

According to experts at Kaspersky, hackers have robbed at least 8 ATMs in Russia and stole $800,000 in just one night.

The cyber heist caught the attention of security experts that analyzing the CCTV footage have noticed a man walking up to the ATM and collecting cash apparently without interacting with the machine.

Security teams at the affected banks haven’t found any evidence of the presence of a malware or any sign of an intrusion. Just one of the targeted banks reported having discovered two files containing malware logs on the ATM.

The experts have discovered the following strings in the log files:

• “Take the Money Bitch!”
• “Dispense Success.”

In February, malware at Kaspersky Labs reported that crooks hit over 140 enterprises, including banks, telecoms, and government organizations in 40 countries. The cybercriminals leveraged a ‘Fileless malware.’

Malicious code is directly injected into the memory of the infected machine and the malware executes in the system’s RAM.

“A good example of the implementation of such techniques is Duqu2. After dropping on the hard drive and starting its malicious MSI package it removes the package from the hard drive with file renaming and leaves part of itself in the memory with a payload. That’s why memory forensics is critical to the analysis of malware and its functions. Another important part of an attack are the tunnels that are going to be installed in the network by attackers.” reads the analysis published by Kaspersky.

The attack was first spotted by a bank’s security team that discovered a copy of the Meterpreter code, an in-memory component of the Metasploit framework, in a physical memory of a Microsoft domain controller (DC).

The experts at Kaspersky Lab tracked the threats as MEM:Trojan.Win32.Cometer and MEM:Trojan.Win32.Metasploit. The malware leverage PowerShell scripts within the Windows registry to load the Meterpreter code directly into memory, similar techniques leveraging on the PowerShell were already adopted by other malware in the wild.
Malware researchers believe that hackers that targeted the banks carried out the attacks with a Fileless malware.

During the recent Kaspersky Security Analyst Summit held in St. Maarten, security researchers Sergey Golovanov and Igor Soumenkov provided further details about their investigation on the ATM hacks against two Russian banks.

Experts have tracked the malware as ATMitch, it was first spotted in Russia and Kazakhstan, the malicious code is remotely installed and executed on ATMs via its remote administration module.

“The malware, which we have dubbed ATMitch, is fairly straightforward. Once remotely installed and executed via Remote Desktop Connection (RDP) access to the ATM from within the bank, the malware looks for the “command.txt” file that should be located in the same directory as the malware and created by the attacker.” reads the analysis from Kaspersky.

The attackers connect the ATM via SSH tunnel, install the malicious code and use it to instruct the ATM to dispense cash.

Since Fileless malware leverages the existing legitimate tools on a machine to remotely send the command to dispense the money, an operation that is very quick, just a few seconds are enough to empty the ATM without leaving traces.

“The malware uses the standard XFS library to control the ATM. It should be noted that it works on every ATM that supports the XFS library (which is the vast majority).” states Kaspersky.