A recently discovered piece of malware allows attackers to remotely control compromised ATMs (automated teller machines), Kaspersky Lab reveals.
The threat was discovered after a Russian bank was hit by a targeted attack where cybercriminals gained control of ATMs and uploaded malware to them. Although the actors did remove the malware after the heist, which left researchers without an executable to analyze, the malware’s logs and some file names were restored after the attack, which Kaspersky researchers were able to analyze.
The files were recovered by the bank’s forensic team, which provided the security researchers with two text files (located at C:WindowsTempkl.txt and C:logfile.txt), and the names of two deleted executables (C:ATM!A.EXE and C:ATMIJ.EXE). However, the contents of the exe files couldn’t be retrieved, Kaspersky notes.
Based on the information retrieved from the log files, the researchers created a YARA rule to find a sample, and eventually found one, in the form of “tv.dll”. This in turn led to the discovery of ATMitch, a piece of malware that essentially provides attackers with the ability to remotely administrate ATMs.
The malware is installed and executed via Remote Desktop Connection (RDP) access to the ATM from within the bank. Once on the infected machine, the threat looks for the “command.txt” file located in the same directory as the malware itself, as this file includes a list of one character commands: ‘O’ – Open dispenser; ‘D’ – Dispense; ‘I’ – Init XFS; ‘U’ – Unlock XFS; ‘S’ – Setup; ‘E’ – Exit; ‘G’ – Get Dispenser id; ‘L’ – Set Dispenser id; and ‘C’ – Cancel.
After that, the malware writes the results of the command to the log file and removes “command.txt” from the ATM’s hard drive. ATMitch, which apparently doesn’t try to conceal within the system, uses the standard XFS library to control the ATM, meaning that it can be used on all ATMs that support the XFS library.
The !A.exe and IJ.exe executables, which might be the installer and uninstaller of the malware, couldn’t be retrieved. “tv.dll”, the researchers say, contained one Russian-language resource.
This attack, Kaspersky notes, was connected to a fileless attack detailed in February 2017, which targeted numerous organizations worldwide. The attack, Morphisec revealed last month, was tied to an attack framework used in a series of other incidents detailed by Cisco and FireEye as well.

More from Ionut Arghire
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- 820k Impacted by Data Breach at Zacks Investment Research
- US Government Agencies Warn of Malicious Use of Remote Management Software
- Chinese Hackers Adopting Open Source ‘SparkRAT’ Tool
- CISA Provides Resources for Securing K-12 Education System
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
