• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Allianz Life data breach exposed the data of most of its 1.4M customers

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

 | 

Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

 | 

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Hacking
  • Malware
  • Uncategorized
  • ATMitch – Crooks stole $800,000 from 8 ATMs in Russia using Fileless Malware

ATMitch – Crooks stole $800,000 from 8 ATMs in Russia using Fileless Malware

Pierluigi Paganini April 09, 2017

According to Kaspersky Lab, crooks have robbed at least 8 ATMs in Russia and stole $800,000 in just one night using a Fileless malware dubbed ATMitch.

According to experts at Kaspersky, hackers have robbed at least 8 ATMs in Russia and stole $800,000 in just one night.

The cyber heist caught the attention of security experts that analyzing the CCTV footage have noticed a man walking up to the ATM and collecting cash apparently without interacting with the machine.

Security teams at the affected banks haven’t found any evidence of the presence of a malware or any sign of an intrusion. Just one of the targeted banks reported having discovered two files containing malware logs on the ATM.

The experts have discovered the following strings in the log files:

  • “Take the Money Bitch!”
  • “Dispense Success.”

In February, malware at Kaspersky Labs reported that crooks hit over 140 enterprises, including banks, telecoms, and government organizations in 40 countries. The cybercriminals leveraged a ‘Fileless malware.’

fileless malware

Malicious code is directly injected into the memory of the infected machine and the malware executes in the system’s RAM.

“A good example of the implementation of such techniques is Duqu2. After dropping on the hard drive and starting its malicious MSI package it removes the package from the hard drive with file renaming and leaves part of itself in the memory with a payload. That’s why memory forensics is critical to the analysis of malware and its functions. Another important part of an attack are the tunnels that are going to be installed in the network by attackers.” reads the analysis published by Kaspersky.

The attack was first spotted by a bank’s security team that discovered a copy of the Meterpreter code, an in-memory component of the Metasploit framework, in a physical memory of a Microsoft domain controller (DC).

The experts at Kaspersky Lab tracked the threats as MEM:Trojan.Win32.Cometer and MEM:Trojan.Win32.Metasploit. The malware leverage PowerShell scripts within the Windows registry to load the Meterpreter code directly into memory, similar techniques leveraging on the PowerShell were already adopted by other malware in the wild.
Malware researchers believe that hackers that targeted the banks carried out the attacks with a Fileless malware.

During the recent Kaspersky Security Analyst Summit held in St. Maarten, security researchers Sergey Golovanov and Igor Soumenkov provided further details about their investigation on the ATM hacks against two Russian banks.

Experts have tracked the malware as ATMitch, it was first spotted in Russia and Kazakhstan, the malicious code is remotely installed and executed on ATMs via its remote administration module.

“The malware, which we have dubbed ATMitch, is fairly straightforward. Once remotely installed and executed via Remote Desktop Connection (RDP) access to the ATM from within the bank, the malware looks for the “command.txt” file that should be located in the same directory as the malware and created by the attacker.” reads the analysis from Kaspersky.

fileless malware ATMitch

The attackers connect the ATM via SSH tunnel, install the malicious code and use it to instruct the ATM to dispense cash.

Since Fileless malware leverages the existing legitimate tools on a machine to remotely send the command to dispense the money, an operation that is very quick, just a few seconds are enough to empty the ATM without leaving traces.

“The malware uses the standard XFS library to control the ATM. It should be noted that it works on every ATM that supports the XFS library (which is the vast majority).” states Kaspersky.

The experts highlighted that attackers used a sophisticated method to compromise the bank network an access to the ATM’s back-end panel.

To avoid triggering the alarm, attackers physically accessed the ATM by drilling a golf-ball sized hole in the front panel. The hole allows the attackers to access to the cash dispenser panel using a serial distributed control wire (SDC RS485 standard).

Kaspersky experts explained that the technique was discovered after the police arrested a man dressed as a construction worker while he was drilling into an ATM.

Malware researchers warn ATM manufacturer and banks that crooks across Russia and Europe have already used the ATM drill attack for cyber heists.

Researchers did not identify a specific criminal gang behind these ATM hacks, anyway, they noticed that the source code used in the attacks contains references to the Russian language.

Kaspersky has discovered many similarities with techniques used by the have discovered many similarities with techniques used by the Carbanak and GCMAN cyber gangs.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Fileless malware, banks)


facebook linkedin twitter

ATM bank banking Carbanak cybergang Cybercrime GCMAN Hacking Kaspersky malware Metel

you might also like

Pierluigi Paganini July 27, 2025
Allianz Life data breach exposed the data of most of its 1.4M customers
Read more
Pierluigi Paganini July 27, 2025
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Allianz Life data breach exposed the data of most of its 1.4M customers

    Data Breach / July 27, 2025

    SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

    Malware / July 27, 2025

    Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

    Breaking News / July 27, 2025

    Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

    Cyber Crime / July 26, 2025

    Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

    Intelligence / July 26, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT