Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



ATMZombie Banking Trojan Hits Israeli Banks

Researchers at Kaspersky Lab have recently identified and analyzed what is considered the first banking Trojan designed to steal money from Israeli banks.

Researchers at Kaspersky Lab have recently identified and analyzed what is considered the first banking Trojan designed to steal money from Israeli banks.

Dubbed ATMZombie, the malware leverages insidious injection and other sophisticated and stealthy methods, including a proxy-changing technique and a SMS transaction feature. The Trojan’s operators are using a loophole in one of the bank’s online features and then physically withdraw money from the ATM, assisting money mules who are called zombies and are believed to have little knowledge of how the attack works.

The method of using a “proxy-changer” for stealing credentials involves modifying browser proxy configurations and capturing traffic between a client and a server. Furthermore, Kaspersky researchers discovered that the ATMZombie incidents featured similarities with Tochechnyj Banker, a Trojan observed attacking PSB-retail customers not long ago.

Kaspersky Lab’s Ido Naor explains in a blog post that the threat actor(s) behind the malware has been very active in banking malware campaigns, registering domains for various other Trojans as well, though none have used the ATMZombie modus operandi. A piece of malware that does, however, is the Retefe Banking Trojan, which was discovered in August 2015 and includes the Smoke Loader backdoor, in addition to ATMZombie’s capabilities.

Once it has been dropped on the victim’s machine, the malware unpacks itself and stores certificates in common browsers (Opera, Firefox), while also modifying their configurations to enable a Man-In-The-Middle attack. The Trojan also gets rid of all proxies others than those it uses, and changes cache permissions to read-only.

Next, it modifies registry entries with Base64 encoded strings that contain a path to the auto-configuration content and installs own signed certificate into the root folder to stream data over HTTPS and securely steal the victim’s credentials. As soon as the victim logs into their bank account, the malware steals the credentials, logs in using their name, and sends money to the ATMZombie by exploiting the SMS feature.

According to researchers, the malware was found targeting clients of a specific Israeli bank, with victims being lured into downloading the Trojan specifically because they were clients of Israeli banks. Researchers suggest that either the attackers had a very good intelligence-gathering techniques or they took advantage of an insider who could provide them with the list of clients.

Advertisement. Scroll to continue reading.

After stealing the victim’s credentials, the attackers manually login into the hijacked account to submit a wire transfer to the account of the money mule. The actors behind the Trojan issue a money transfer to the money mule’s cell phone number and Israeli Personal Identifiable Information (PII), while the money mule sends the money to the attacker in exchange for a small amount of it.

By using this technique, attackers managed to remain anonymous for a long time, while supervising their campaign remotely. 

The SMS transaction feature offered by banks is widely used by people to send money to their friends or family who have no credit card. The owner of the phone is provided with information such as Date, Israeli ID, Name and Amount, as well as with an SMS message that authorizes the cash withdraw.

Kaspersky Lab notes that hundreds of people are believed to have fallen victim to ATMZombie attacks, but that the banks have since stopped the attacks and compensated victims. The actors behind the campaign supposedly managed to steal hundreds of thousands of dollars in a short period of time, with the highest amount stolen from a single account being $750.

Banking Trojans represented one of the predominant threats last year and are expected to continue doing so in 2016, especially with Dridex gaining new capabilities and with the source code of GM Bot leaking online. However, while the Gozi Trojan recently started targeting the Edge browser in Windows 10, the Dyre botnet went quiet in November 2015.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...