ATM Malware Spits Out Cash and Self-Deletes

Hand of a man with a credit card, using an ATM. Man using an atm machine with his credit card.

A new malware targeting ATMs, dubbed ATMitch, has been identified and described by Kaspersky Lab researchers.

IT security and fraud experts are observing a significant increase in the number of cyber-attacks against ATMs, particularly skimming and malware-based attacks.

Just this February, Kaspersky Lab alleged that a group of hackers had used file less malware to hack into banks and government agencies in at least 40 countries.

Noting the sophisticated nature of the attack, investigators struggled to determine the reasoning behind hack, just assuming that they were looking to steal data from the systems.

Initially, the affected banks could not find any trace of malware on its ATMs or signs of an intrusion on their back-end network.

The only clue banks found from the ATM hard drives were two malware logs.

The log entries indicated that the phrase “Catch the Money, Bitch!” was printed on its screen.

The malware used in the cyber heists is ATMitch,  a malware capable of issuing various commands to unsecured ATM machines, including the function of counting the amount of banknotes in an ATM or dispensing currency in an Amazon-like single click.

After withdrawing money in this unique way, criminals only need to grab the money and go.

How ATMitch Malware works

Though ATM protection is physically impressive, these armored machines are arguably more vulnerable in cyberspace.

Criminals infect ATMs either through the bank’s internal network.

After installing itself to the system, the malware infects the ATM’s computerized core, giving criminals complete control over infected ATMs.

In this case of this program, once access into the ATM from within the bank is gained through the network, the malware is remotely installed and executed via Remote Desktop Connection (RDP).

Illustration of wordcloud tags of malware concept

IT security and fraud experts are observing a significant increase in the number of cyber-attacks against ATMs, particularly skimming and malware-based attacks.

Once installed, it looks for the “command.txt” file that will be located in the same directory as the malware and created by the attacker.

The malware will proceed to read the single-character content from the file and executes the associated command.

For example, “D” in this context would stand for dispense.

After execution, ATMitch writes the results of this command to the log file and removes “command.txt” from the ATM’s hard drive.

Since this malware is memory based, it disappears after a reboot.

It may be that the attackers are using Windows command line to delete files and directories to cover their tracks.

Tracking down robbed ATMs is almost impossible

Preemptively detecting the hack is nearly impossible, given that most of the malicious behavior takes place through malicious self-deleting malware and Power Shell scripts without leaving any artifacts on the disks.

Once the bank server, client system, or the ATM is rebooted, most of the clues are wiped from the memory.

Emptying ATMs via malware appears to be a new approach for cyber-criminals

There have been past reports about malware that was used to capture customers’ information.

The ATMitch malware appears to be a unique case of malware being used to syphon cash directly from the ATM without relying on customer data.

This malware attack has great similarities to the GreenDispenser malware scam that was linked to ATM theft cases in Mexico.

Hackers involved with GreenDispenser employed authentication through a static hard coded PIN, which was followed by another layer of authentication with a dynamic PIN that wasunique for each and every run of the GreenDispenser malware.

The attackers derived the second PIN from QR codes displayed in the infected ATM’s screen.

In 2013, another malware Ploutus grabbed headlines all over the world because it allowed thieves to empty out banks using a keyboard.

Crooks deployed Ploutus if they were able to access unsecured ATM ports.

The keyboard allows them access to the ATM’s software, and after the crooks decide on the amount of cash they want to steal, they only need to press F3 to collect their money.

Resolving ATMitch Malware Breaches

Financial organizations can expect more of ATM attacks because it lets crooks turn ATMs into their own personal “money machines.” While the fileless malware might still be active, financial firms shouldn’t panic.

Since so little information is actually left behind in these types of ATM hacks, the Kaspersky researchers said that memory forensics and appropriate incident responses are critical to resolving ATM malware breaches.

Leave a Reply