Pierluigi Paganini September 24, 2019

Kaspersky experts spotted a new piece of ATM malware, dubbed ATMDtrack, that was developed and used by North Korea-linked hackers.

Kaspersky researchers discovered a new piece of ATM malware, tracked as ATMDtrack, that was developed and used by North Korea-linked hackers.

Threat actors deployed the malware on ATM systems to steal payment card details of the back customers.

ATMDtrack has been spotted on the networks of Indian banks since late summer 2018, a more sophisticated version tracked as Dtrack, was involved in attacks aimed at Indian research centers.

“In the late summer of 2018, we discovered ATMDtrack, a piece of banking malware targeting Indian banks. Further analysis showed that the malware was designed to be planted on the victim’s ATMs, where it could read and store the data of cards that were inserted into the machines.” reads the analysis published by Kaspersky.

According to Kaspersky, the most recent attacks involving the malware were observed at the beginning of September 2019.

DTrack, was developed to spy on the victims and exfiltrate data of interest, it supports features normally implemented in remote access trojan (RAT).

Below a list of some functionalities supported by the Dtrack payload executables analyzed by Kaspersky:

• keylogging,
• retrieving browser history,
• gathering host IP addresses, information about available networks and active connections,
• listing all running processes,
• listing all files on all available disk volumes.

The experts were able to analyze only dropped samples, as the real payload was encrypted with various droppers. The samples were detected because of the unique sequences shared by ATMDtrack and the Dtrack memory dumps.

“At this point, the design philosophy of the framework becomes a bit unclear. Some of the executables pack the collected data into a password protected archive and save it to the disk, while others send the data to the C&C server directly.” continues Kaspersky.

“Aside from the aforementioned executables, the droppers also contained a remote access Trojan (RAT). The RAT executable allows criminals to perform various operations on a host, such as uploading/downloading, executing files, etc.”

Once decrypted the final payload, Kaspersky researchers noticed similarities with the Dark Seoul campaign uncovered in 2013 and attributed to the Lazarus APT group. The attackers reused part of their old code in the recent attacks on the financial sector and research centers in India.

“The most obvious function they have in common is the string manipulation function. It checks if there is a CCS_ substring at the beginning of the parameter string, cuts it out and returns a modified one. Otherwise, it uses the first byte as an XOR argument and returns a decrypted string.” states the analysis.

The discovery of the ATMDTrack malware confirms the intense activity of the Lazarus APT group.

The state-sponsored group continues to develop malware that was used in both financially-motivated attacks and cyber espionage operations.

“We first saw early samples of this malware family in 2013, when it hit Seoul. Now, six years later, we see them in India, attacking financial institutions and research centers.” concludes Kaspersky. “And once again, we see that this group uses similar tools to perform both financially-motivated and pure espionage attacks.”

Technical details, including IoCs, are reported in the analysis published by Kaspersky.

Pierluigi Paganini

(SecurityAffairs – APT, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]