A recently discovered piece of malware allows attackers to remotely control compromised ATMs (automated teller machines), Kaspersky Lab reveals.
The threat was discovered after a Russian bank was hit by a targeted attack where cybercriminals gained control of ATMs and uploaded malware to them. Although the actors did remove the malware after the heist, which left researchers without an executable to analyze, the malwareâs logs and some file names were restored after the attack, which Kaspersky researchers were able to analyze.
The files were recovered by the bankâs forensic team, which provided the security researchers with two text files (located at C:WindowsTempkl.txt and C:logfile.txt), and the names of two deleted executables (C:ATM!A.EXE and C:ATMIJ.EXE). However, the contents of the exe files couldnât be retrieved, Kaspersky notes.
Based on the information retrieved from the log files, the researchers created a YARA rule to find a sample, and eventually found one, in the form of âtv.dllâ. This in turn led to the discovery of ATMitch, a piece of malware that essentially provides attackers with the ability to remotely administrate ATMs.
The malware is installed and executed via Remote Desktop Connection (RDP) access to the ATM from within the bank. Once on the infected machine, the threat looks for the âcommand.txtâ file located in the same directory as the malware itself, as this file includes a list of one character commands: âOâ â Open dispenser; âDâ â Dispense; âIâ â Init XFS; âUâ â Unlock XFS; âSâ â Setup; âEâ â Exit; âGâ â Get Dispenser id; âLâ â Set Dispenser id; and âCâ â Cancel.
After that, the malware writes the results of the command to the log file and removes âcommand.txtâ from the ATMâs hard drive. ATMitch, which apparently doesnât try to conceal within the system, uses the standard XFS library to control the ATM, meaning that it can be used on all ATMs that support the XFS library.
The !A.exe and IJ.exe executables, which might be the installer and uninstaller of the malware, couldnât be retrieved. âtv.dllâ, the researchers say, contained one Russian-language resource.
This attack, Kaspersky notes, was connected to a fileless attack detailed in February 2017, which targeted numerous organizations worldwide. The attack, Morphisec revealed last month, was tied to an attack framework used in a series of other incidents detailed by Cisco and FireEye as well.