Filename | Overnight criminals stole $800,000 from ATMs by using "disappearing" Malware |
Permission | rw-r--r-- |
Author | Asylum |
Date and Time | 2:33 PM |
Label | 000 from ATMs by using "disappearing" Malware| E Hacking News - Latest Hacker News and IT Security News| free| google| hacking| IFTTT| new| news| Overnight criminals stole $800 |
Action |
The specialists of "Kaspersky Lab" talked about the new technique that criminals use to steal money from ATMs. They explained such cases in which physical damage or infection by Malware in ATMs cannot be found. The ATM is forced to vend money to criminals and their accomplices. We can assume that the attackers could compromise the corporate network, but sign of a break-in could not be found.The hackers had carefully cover their tracks .
At the Security Analyst Summit conference experts said that in 2016 two Russian banks has suffered from such attacks, one night Banks lost about $ 800,000 because criminals emptied their ATMs. During the attack hackers were able to gain control over ATMs and downloaded the Malware.The malicious program was removed after withdrawing the money. Forensics from one of the affected banks were not able to recover malware executables because of fragmentation of hard drive after attack. But they have been able to get logs of Malware and find the names of some files.
So, the researchers found on the hard drive of affected ATM two files: C:\Windows\Temp\kl.txt and C:\logfile.txt. And they gotten to know the names of the executables: C:\ATM\!A.EXE and C:\ATM\!J.EXE.
Following fragment in a text format were discovered in the logs. Researchers could not find more information:
[Date — Time]
[%d %m %Y %H : %M : %S] > Entering process dispense.
[%d %m %Y %H : %M : %S] > Items from parameters successfully converted. 4 40
[%d %m %Y %H : %M : %S] > Unlocking dispenser, result is 0
[%d %m %Y %H : %M : %S] > Catch some money, bitch! 4000000
[%d %m %Y %H : %M : %S] > Dispense success code is 0
Analysts of "Kaspersky Lab" was able to analyze with this information.An YARA rule to search for Malware was created on basis of data from log. Apparently, sample of Malware has been uploaded to Virus Total under the name tv.dll twice (from Kazakhstan and Russia). Malware was codenamed ATMitch, and investigation continued.
The Study of Malware showed that ATM computer opens a Remote Desktop Connection to the attacker after the installation ATMitch inside the ATM. Then the Malware looks for the file command.txt. This file should in some folder with Malware. If the file is found, ATMitch reads its contents, consisting of single symbol and performs necessary command:
O’ - to open the dispenser
‘D’ - to give money
‘I’ - to initialize XFS library
‘U’ - to unlock XFS
‘S’ - to setup
‘E’ - to exit
‘G’ - to get ID of dispenser
‘L’ - to set ID of dispenser
‘C’ - to cancel
After executing of the command ATMitch writes results to log and deletes from the hard drive of ATM the file command.txt. Then attackers need to only come to ATM, withdraw money and disappear.
The researchers write that standard XFS library is used to control ATM. So, Malware works on any ATM that supports XFS library. The overwhelming majority are ATM's support the XFS library.
"The group is probably still active. But that is no reason to panic. In order to fight back such cyber attacks, information security specialist of victim organization must have special knowledge and skills. First of all, we must remember that attackers used usual legitimate tools, and after the attack they carefully remove all traces of their presence in the system. Therefore, for solving problems we need to pay special attention to the study of memory (brain of ATM), in which ATMitch is hiding", – said Sergey Golovanov, leading anti-virus expert in "Kaspersky Lab".
via E Hacking News - Latest Hacker News and IT Security News Overnight criminals stole $800,000 from ATMs by using "disappearing" Malware http://ift.tt/2nMziLn
0 comments:
Post a Comment