Banks warned of ATMs being infected remotely by malware

12th May 2017

By: Schalk Burger

Creamer Media Senior Deputy Editor

     

Font size: - +

Cybersecurity multinational Kaspersky Lab has cautioned banks in the Middle East, Africa and Turkey to check random access memory (RAM), network and registry logs to determine whether the fileless ATMitch malware is present.

The ATMitch uses in-memory malware to infect banking networks. This malware is remotely installed and executed on an ATM from within the target bank through remote administration tools of ATM machines, says Kaspersky Lab senior security researcher Amin Hasbini.

After it is installed and connected to the ATM, the ATMitch malware communicates with the ATM as if it is legitimate software. This makes it possible for attackers to carry out a list of commands such as collecting information about the number of banknotes in the ATM’s cassettes. Further, criminals can dispense money at any time from the infected ATM at the touch of a button.

Usually criminals start by getting information on the amount of money an ATM dispenser has. After that, a criminal can send a command to dispense any number of banknotes from any cassette. An ATM robbery like this takes seconds. Once an ATM is robbed, the malware deletes its traces.

The investigation started after a bank’s forensics specialists recovered and shared two files containing malware logs from the ATM’s hard drive (kl.txt and logfile.txt) with Kaspersky Lab. These were the only files left after the attack. It was not possible to recover the “malicious executables” because cybercriminals had wiped the malware after the robbery.

After the attack, criminals may wipe all the data that could lead to their detection, leaving no traces. To address these issues, memory forensics is becoming critical to the analysis of malware and its functions, says Kaspersky Lab principal security researcher Sergey Golovanov.

“As this case proves, a carefully directed incident response can help to solve even well prepared cybercrime,” he highlights.

“We advise organisations to check their systems, keeping in mind that detection of such an attack is possible only in RAM, their network and registry logs. In such instances, the use of Yara rules based on a scan of malicious files are of limited use and comprehensive security software is advised to prevent such attacks,” emphasises Hasbini.

Kaspersky Lab has registered attacks in more than 140 enterprise networks in a range of business sectors. Infections have been registered in 40 countries, including in Turkey, Saudi Arabia, Iran, Libya, Pakistan, Tunisia, Morocco, Egypt, Kenya, Uganda, Congo and Tanzania. ATMitch cases have been reported in just two countries to date, but the attackers might still be active.

“Combatting these kinds of attacks requires a specific set of skills from the security specialist guarding the targeted organisation. The successful breach and exfiltration of data from a network can only be conducted with common and legitimate tools,” says Golovanov.

Further information on the ATMitch malware Yara rules for forensic analysis of the fileless attacks can be found in the two blogs on Securelist.com. Technical details, including Indicators of Compromise have also been provided to customers of Kaspersky Intelligence Services.

Edited by Martin Zhuwakinyu
Creamer Media Senior Deputy Editor

Comments

The content you are trying to access is only available to subscribers.

If you are already a subscriber, you can Login Here.

If you are not a subscriber, you can subscribe now, by selecting one of the below options.

For more information or assistance, please contact us at subscriptions@creamermedia.co.za.

Option 1 (equivalent of R125 a month):

Receive a weekly copy of Creamer Media's Engineering News & Mining Weekly magazine
(print copy for those in South Africa and e-magazine for those outside of South Africa)
Receive daily email newsletters
Access to full search results
Access archive of magazine back copies
Access to Projects in Progress
Access to ONE Research Report of your choice in PDF format

Option 2 (equivalent of R375 a month):

All benefits from Option 1
PLUS
Access to Creamer Media's Research Channel Africa for ALL Research Reports, in PDF format, on various industrial and mining sectors including Electricity; Water; Energy Transition; Hydrogen; Roads, Rail and Ports; Coal; Gold; Platinum; Battery Metals; etc.

Already a subscriber?

Forgotten your password?

MAGAZINE & ONLINE

SUBSCRIBE

RESEARCH CHANNEL AFRICA

SUBSCRIBE

CORPORATE PACKAGES

CLICK FOR A QUOTATION