• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 

Microsoft issues emergency patches for SharePoint zero-days exploited in "ToolShell" attacks

 | 

SharePoint zero-day CVE-2025-53770 actively exploited in the wild

 | 

Singapore warns China-linked group UNC3886 targets its critical infrastructure

 | 

U.S. CISA adds Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 54

 | 

Security Affairs newsletter Round 533 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Radiology Associates of Richmond data breach impacts 1.4 million people

 | 

Fortinet FortiWeb flaw CVE-2025-25257 exploited hours after PoC release

 | 

Authorities released free decryptor for Phobos and 8base ransomware

 | 

Anne Arundel Dermatology data breach impacts 1.9 million people

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Hacking
  • Malware
  • ATMitch: New Evidence Spotted In The Wild

ATMitch: New Evidence Spotted In The Wild

Pierluigi Paganini May 07, 2019

Early April, experts at Yoroi-Cybaze ZLab spotted a new interesting malware sample, likely active since 2017, that was linked to ATMitch attacks. 

In the first days of April, our threat monitoring operations spotted a new interesting malware sample possibly active in the wild since 2017. Its initial triage suggests it may be part of an advanced attacker arsenal targeting the Banking sector, possibly related to the same APT group Kaspersky Lab tracked two years ago after the compromise of a Russian bank, where a particular malware tool dubbed ATMitch has been unveiled. In the past, this piece of malware was manually installed on the victim ATM after a wide enterprise network intrusion, enabling the cyber-criminals to manipulate the cash-withdrawal process on the machine.

The recent, unattended discovery of such kind of sample within the Info-Sec community led us to a deep dive into this particular malware tool, spearhead of a sophisticated cyber arsenal.

Technical Analysis

The executable sample is a PE32 x86 file named “tester.exe”. It seems to be custom loader for the real malicious payload able to take control of the target machine.

Sha256bf9c35d8f33e2651d619fe22a2d55372dedd0855451d32f952ecfc73fa824092
ThreatATMitch ATM malware
Brief descriptionATMitch initial loader
Ssdeep1536:sPNdY/P/r6aqTzN7gqJT/0vniPJiz3yUrvGkc+uylR:sPiz657gqJT/06xiT/vaVyl

Table 1: Information about Dropper/Loader of ATMitch

The static data about this sample reveal the sample has been compiled on 8th Oct 2017, months later than the Kaspersky disclosure of the ATMitch attack operation. This element is not enough to date the sample with 100% accuracy due to possible tampering, anyway the other static details suggest the date could be genuine due to the absence of scrambled artifacts.

Figure 1: Payload as resource of the Loader

When started, the executable creates a new folder on “C:\intel” and then starts inspecting all the running processes. It looks for a really particular one: “fwmain32.exe”. This lookup reveals how deeply environmental aware is this implant. In fact, the “fwmain32” process is part of the software services produced by Wincor Nixdorf International GmbH, one of the major vendors providing retail and banking hardware such as ATMs.

Figure 2: Research of “fwmain32.exe” process by malware

Once the “fwmain32.exe” process is found, the loader injects the actual payload in its own memory, infecting it. The payload DLL, initially stored into the loader resources section, will be implanted into the target process using the “SetThreadContext” injection technique (Thread Hijacking). 

Figure 3: Complete Thread Hijacking flow

The figure above shows the sample calls on the OpenThread and the SuspendThread functions to pause the current execution. After allocating the right memory amount in the target process, it writes the shellcode target memory space using the WriteProcessMemory function and sets up the new process context with SetThreadContext. Finally, using the ResumeThread function the payload is able to start its malicious execution.

When the loader succeeded to inject the payload into the “fwmain” process, it also shows a popup window reporting the outcome of the injection phases.

Figure 4: Prompt window reporting the log of the injection phase

ATMitch Payload

Sha256e372631f96face11e803e812d9a77a25d0a81fa41e4ac362dc8aee5c8a021000
ThreatATMitch ATM malware
Brief descriptionATMitch payload
Ssdeep768:N/qZvnFW5PJizM5qy1ucRM7YNNsrGkc+uW9LMQDFd+MbfRprj:N/0vniPJiz3yUrvGkc+uylR

Table 2: Information about the payload (DLL contained as resource in the Dropper/Loader)

The injected DLL has a very characteristic dependency: it requires the “msxfs.dll”. This library provides access to the EXtension for Financial Service (XFS) API, the communication interface needed to interact with AMT components such as PIN pad and cash dispenser. Again, this is a very particular dependency can only be resolved on special purpose Windows environment, like the Wincor machines.

Figure 5: “msxfs.dll”, library required by malware to communicate with ATM device

The malware is quite simple: it reads commands from a file included into “c:\intel” folder and interacts with the ATM drivers in order to retrieve information about the current amount and to dispense money at the right time. In the following screen is shown a function used to initiate the communication with the PinPad and Dispenser ATM components.

Figure 6: Discovering of PinPad and Dispenser components

Using the functions provided by “msxfs.dll” library, the malware can easily interact with these components. For example, using the WFSExecute function it is possible to send one of the supported commands to the dispenser, like OPEN_SHUTTER or OPEN_SAFE_DOOR.

Figure 7: Part of commands accepted by ATM

In the specific case, the malware uses the function to dispense money through the command WFS_CMD_CDM_DISPENSE, as shown in figure:

Figure 8: Command “WFS_CMD_CDM_DISPENSE” used by malware to dispense money

The core of the malware is the following switch structure: after reading the new command from the specific file, it compares the command code with the embedded ones, such as “code 2” for retrieving information or “code 7” for dispensing money.

Figure 9: Malware’ switch structure

Moreover, the malware provides a well-structured logging system: all actions are traced and logged into “c:\intel\__log.txt”. In relation to the action that needs to be logged, it is able to set a specific logging level (FATAL, ERROR, DEBUG etc.).

Figure 10: Logging-level of the malware logging system

Conclusion

This recently discovered ATMitch sample is one of the key assets used by advanced attackers during bank cyber-robberies, potentially even by the Carbanak or the GCMAN group. Who manually install it within segregated hosts and write commands directly into the target machine, without any command and control traffic. The usage of Remote Desktop to directly connect to the target machine is also supported by the presence of a prompt window (Figure 4) which shows the correct execution of the first stage. Probably the last steps of an attack flow involving ATMitch are the following:

  1. The attacker connects to the ATM machine using Remote Desktop;
  2. The attacker transfers the loader EXE and runs it: the prompt window shows if everything went well;
  3. The attacker deletes the initial file in order to remove tracks;
  4. The attacker writes commands in the appropriate file;
  5. The malware executes the new commands and writes in the log file;
  6. The attacker examines the log file to know the state of the command execution.

So, the eventual presence of this malware could be the tip of the iceberg of a more complex and articulated attack perpetrated by advanced cyber-criminals.

Technical details, including IoCs and Yara Rules, are available in the analysis published on the Yoroi blog.

https://blog.yoroi.company/research/atmitch-new-evidence-spotted-in-the-wild/

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – ATMitch, ATM)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

banking Cybercrime malware Pierluigi Paganini Security Affairs

you might also like

Pierluigi Paganini July 23, 2025
U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog
Read more
Pierluigi Paganini July 23, 2025
Sophos fixed two critical Sophos Firewall vulnerabilities
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

    Hacking / July 23, 2025

    Sophos fixed two critical Sophos Firewall vulnerabilities

    Security / July 23, 2025

    French Authorities confirm XSS.is admin arrested in Ukraine

    Cyber Crime / July 23, 2025

    Microsoft linked attacks on SharePoint flaws to China-nexus actors

    APT / July 23, 2025

    Cisco confirms active exploitation of ISE and ISE-PIC flaws

    Hacking / July 22, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT