ATM hackers release cold, hard cash at the click of a remote button

The ATMitch heist has shown attackers are now able to remotely create an ATM tunnel to financial reward with little effort.
Written by Charlie Osborne, Contributing Writer
(Image: ZDNet)

Researchers have revealed a novel way for hackers to withdraw money fraudulently through an ATM, and without any need to physically access the device.

When an ATM is compromised, you expect to find a cybercriminal has used one of the most popular methods to do so, such as compromising the ATM's aging operating system through malware or physically tampering with ATM hardware to force the machine to spew out cash uncontrollably.

Now, security experts have discovered a novel method that doesn't require the attacker themselves to visit an ATM at all, but they still cash out.

In 2015, security researchers uncovered a two-year criminal operation that relieved banks of $1 billion worldwide by compromising ATM machines in Russia through the use of the Carbanak malware.

In February 2017, Kaspersky published the resulted of "fileless" attacks against banks, which revealed a new method for criminals to attack ATMs by using in-memory malware to infect banking networks that permitted them to set up tunnels to control Powershell-based hosts remotely.

The so-called "ATMitch case" has now revealed additional details concerning these kinds of attacks, which have struck at least 140 enterprise players worldwide. While not completely "fileless," as originally believed, the attack still has a few interesting -- and amusing -- characteristics.

On Monday, at the Kaspersky Security Analyst Summit in St. Maarten, security researchers Sergey Golovanov and Igor Soumenkov said the use of ATMitch leaves little or no traces of malware.

After being called to assist a bank that became a victim of ATMitch, the unnamed bank's specialists were only able to share two files containing malware logs from the ATM's hard drive and no other leftover information or files relating to the attack.

These two small files, kl.txt and logfile.txt, were enough for the researchers to create YARA search strings to find malware samples related to the ATM attack in public repositories. However, the researchers had little to work with except two process strings containing the phrases, "catch some money, bitch!" and "dispense success."

A malware sample dubbed "tv.dll" or "ATMitch" was among the results. Spotted only twice in the wild -- once in Kazakhstan and once in Russia -- ATMitch is remotely installed and executed on an ATM.

Golovanov told ZDNet that this may be made possible through a remote console, which is used by the hacker to create an SSH tunnel, deploy the malware, send a query to find out how much money is available, and then send the command to the ATM to dispense cash.

The ATM treats the malicious code as legitimate software, a fact the remote operator takes advantage of to push the command forward at their required time, and associates pick up the money.

According to the security expert, CCTV footage revealed one man picking up funds fraudulently in some cases, while in others, multiple men were in attendance.

In this grab-and-go manner, an ATM theft takes only a few seconds and can be completed without the operator going anywhere near the physical machine. Once an ATM has been robbed, the operator 'signs off', and there is little, if any, trace of the malware.

As attackers tunnel in through the back of the bank's infrastructure, the type of operating system or front-facing defenses in use makes no difference. However, whitelisting may help protect banks from becoming victims of these kinds of attacks.

"The successful breach and exfiltration of data from a network can only be conducted with common and legitimate tools; after the attack, criminals may wipe all the data that could lead to their detection leaving no traces, nothing," Golovanov said. "To address these issues, memory forensics is becoming critical to the analysis of malware and its functions."

It is unknown who is behind these attacks, but coding present in the ATM stage of the attack contains references to the Russian language -- and suspicions lie in the way of either GCMAN or Carbanak as involved parties.

"Combatting these kinds of attacks requires a specific set of skills from the security specialist guarding the targeted organization," said Golovanov.

Making a definite case for a particular set of threat actors is made impossible, as the attackers make use of open-source exploit code, common and universal Windows utilities, and unknown domains.

Disclosure: The trip to St. Maarten was sponsored by Kaspersky.

VIDEO: Russian hackers are stealing up to $5M a day from US

Must-have mobile apps to encrypt your texts and calls

Editorial standards