Security Experts:

Connect with us

Hi, what are you looking for?



Malware Allows Remote Administration of ATMs

A recently discovered piece of malware allows attackers to remotely control compromised ATMs (automated teller machines), Kaspersky Lab reveals.

A recently discovered piece of malware allows attackers to remotely control compromised ATMs (automated teller machines), Kaspersky Lab reveals.

The threat was discovered after a Russian bank was hit by a targeted attack where cybercriminals gained control of ATMs and uploaded malware to them. Although the actors did remove the malware after the heist, which left researchers without an executable to analyze, the malware’s logs and some file names were restored after the attack, which Kaspersky researchers were able to analyze.

The files were recovered by the bank’s forensic team, which provided the security researchers with two text files (located at C:WindowsTempkl.txt and C:logfile.txt), and the names of two deleted executables (C:ATM!A.EXE and C:ATMIJ.EXE). However, the contents of the exe files couldn’t be retrieved, Kaspersky notes.

Based on the information retrieved from the log files, the researchers created a YARA rule to find a sample, and eventually found one, in the form of “tv.dll”. This in turn led to the discovery of ATMitch, a piece of malware that essentially provides attackers with the ability to remotely administrate ATMs.

The malware is installed and executed via Remote Desktop Connection (RDP) access to the ATM from within the bank. Once on the infected machine, the threat looks for the “command.txt” file located in the same directory as the malware itself, as this file includes a list of one character commands: ‘O’ – Open dispenser; ‘D’ – Dispense; ‘I’ – Init XFS; ‘U’ – Unlock XFS; ‘S’ – Setup; ‘E’ – Exit; ‘G’ – Get Dispenser id; ‘L’ – Set Dispenser id; and ‘C’ – Cancel.

After that, the malware writes the results of the command to the log file and removes “command.txt” from the ATM’s hard drive. ATMitch, which apparently doesn’t try to conceal within the system, uses the standard XFS library to control the ATM, meaning that it can be used on all ATMs that support the XFS library.

The !A.exe and IJ.exe executables, which might be the installer and uninstaller of the malware, couldn’t be retrieved. “tv.dll”, the researchers say, contained one Russian-language resource.

This attack, Kaspersky notes, was connected to a fileless attack detailed in February 2017, which targeted numerous organizations worldwide. The attack, Morphisec revealed last month, was tied to an attack framework used in a series of other incidents detailed by Cisco and FireEye as well.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.