Criminals able to empty ATMs using remote admin attacks
Back in February of this year researchers at Kaspersky Lab uncovered a series of mysterious fileless attacks against banks where criminals were using in-memory malware to infect banking networks.
A recent investigation into a Russian bank ATM, where there was no money, no traces of physical interaction with the machine and no malware, has thrown further light on this activity.
The bank's forensics specialists recovered two files containing malware logs from the ATM's hard drive. These were the only files left after the attack and while it wasn't possible to recover the malicious executables -- because after the robbery cybercriminals had wiped the malware -- there was enough material for Kaspersky Lab to run a successful investigation.
The malware, called ATMitch, is remotely installed and executed on an ATM from within the target bank, through the remote administration of ATM machines. After it's installed and connected to the ATM, the ATMitch malware communicates with the machine as if it's legitimate software.
This makes it possible for attackers to execute a list of commands, such as collecting information about the number of banknotes in the machine's cassettes. What's more, it provides criminals with the ability to dispense money at any time, at the touch of a button. Once the machine has been robbed the malware deletes itself.
It still isn't known who is behind the attacks. The use of open source exploit code, common Windows utilities and unknown domains during the first stage of the operation makes it almost impossible to determine the group responsible.
"The attackers may still be active, but don't panic," says Sergey Golovanov, principal security researcher at Kaspersky Lab. "Combatting these kinds of attacks requires a specific set of skills from the security specialist guarding the targeted organization. The successful breach and exfiltration of data from a network can only be conducted with common and legitimate tools; after the attack, criminals may wipe all the data that could lead to their detection leaving no traces, nothing. To address these issues, memory forensics is becoming critical to the analysis of malware and its functions. And as our case proves, a carefully directed incident response can help solve even the perfectly prepared cybercrime."
More information about the attack is available on Kaspersky's Securelist blog.