Cybersecurity multinational Kaspersky Lab has cautioned banks in the Middle East, Africa and Turkey to check random access memory (RAM), network and registry logs to determine whether the fileless ATMitch malware is present.
The ATMitch uses in-memory malware to infect banking networks. This malware is remotely installed and executed on an ATM from within the target bank through remote administration tools of ATM machines, says Kaspersky Lab senior security researcher Amin Hasbini.
After it is installed and connected to the ATM, the ATMitch malware communicates with the ATM as if it is legitimate software. This makes it possible for attackers to carry out a list of commands such as collecting information about the number of banknotes in the ATM’s cassettes. Further, criminals can dispense money at any time from the infected ATM at the touch of a button.
Usually criminals start by getting information on the amount of money an ATM dispenser has. After that, a criminal can send a command to dispense any number of banknotes from any cassette. An ATM robbery like this takes seconds. Once an ATM is robbed, the malware deletes its traces.
The investigation started after a bank’s forensics specialists recovered and shared two files containing malware logs from the ATM’s hard drive (kl.txt and logfile.txt) with Kaspersky Lab. These were the only files left after the attack. It was not possible to recover the “malicious executables” because cybercriminals had wiped the malware after the robbery.
After the attack, criminals may wipe all the data that could lead to their detection, leaving no traces. To address these issues, memory forensics is becoming critical to the analysis of malware and its functions, says Kaspersky Lab principal security researcher Sergey Golovanov.
“As this case proves, a carefully directed incident response can help to solve even well prepared cybercrime,” he highlights.
“We advise organisations to check their systems, keeping in mind that detection of such an attack is possible only in RAM, their network and registry logs. In such instances, the use of Yara rules based on a scan of malicious files are of limited use and comprehensive security software is advised to prevent such attacks,” emphasises Hasbini.
Kaspersky Lab has registered attacks in more than 140 enterprise networks in a range of business sectors. Infections have been registered in 40 countries, including in Turkey, Saudi Arabia, Iran, Libya, Pakistan, Tunisia, Morocco, Egypt, Kenya, Uganda, Congo and Tanzania. ATMitch cases have been reported in just two countries to date, but the attackers might still be active.
“Combatting these kinds of attacks requires a specific set of skills from the security specialist guarding the targeted organisation. The successful breach and exfiltration of data from a network can only be conducted with common and legitimate tools,” says Golovanov.
Further information on the ATMitch malware Yara rules for forensic analysis of the fileless attacks can be found in the two blogs on Securelist.com. Technical details, including Indicators of Compromise have also been provided to customers of Kaspersky Intelligence Services.