The malware ATMitch can force ATM systems to tally and report how many banknotes are held in a dispenser, and then command them to pay out from any cassette.
The malware ATMitch can force ATM systems to tally and report how many banknotes are held in a dispenser, and then command them to pay out from any cassette.

Kaspersky Lab on Tuesday revealed further details about a memory-only "fileless malware" campaign that a cybercriminal organization has been employing to steal money remotely from ATMs while leaving behind virtually no trace of malicious activity.

According to a Securelist blog post, the primary payload used in the cyberheists is ATMitch, a malware capable of issuing a variety of commands to compromised ATM machines, including counting the number of banknotes in a dispenser (for reconnaissance purposes) and dispensing money from any cassette with the mere touch of a button. "After withdrawing money in this unique way, criminals only need to grab the money and go. An ATM robbery like this takes just seconds!" Kaspersky stated in a corresponding press release, issued in conjunction with the company's Security Analyst Summit in St. Maartin.

Kaspersky first reported on this cyberheist campaign last February, detailing the early stages of infection: Attackers use an exploit to infect a victim's servers with PowerShell and Meterpreter )a payload of the Metasploit penetration testing framework_. This unwanted code is hidden only in memory, making it difficult to detect and track. From there, the adversaries leverage legitimate Windows utilities and tools to establish a remote desktop connection via tunneling.

Kaspersky's latest report details what happens after these steps: the attackers' command-and-control server remotely installs and executes the ATMitch malware, which next searches its directory for a file named “command.txt”. Upon finding it, the malware executes whatever command was coded into that file, writes the results of this command to the log file, and removes “command.txt” from the ATM's hard drive to erase any evidence. Kaspersky further noted that ATMitch uses the standard XFS library to control the ATMs.

At the time of the first report, more than 140 enterprises worldwide had been infected by this campaign, including 21 organizations within the U.S. In addition to banks, government and telecom entities were also targeted in unspecified ways.

In another new detail, Kaspersky revealed that its investigation began after a Russian bank in June 2016 reported a sophisticated malware-based ATM theft. Although the malicious executables were wiped clean from the financial institution's systems, the bank's forensics specialists were at least able to recover two files containing malware logs from the ATM's hard drive. Using just this information, Kaspersky researchers were able to execute a search string that led them to ATMitch, which was spotted in the wild twice – once in Russia, once in Kazakhstan.