メインコンテンツにスキップする

Double Attack: What Are Fileless Banking Attackers Really After?

2017年4月4日

Kaspersky Lab experts reconstruct an ATMitch case – and discover a mysterious way to cash out with ATMs

One day bank employees discovered an empty ATM: there was no money, no traces of physical interaction with the machine, and no malware. After Kaspersky Lab experts spent time unwinding this mysterious case, they were able to not only understand the cybercriminal tools used in the robbery, but also reproduce the attack themselves, discovering a security breach at the bank.

In February 2017 Kaspersky Lab published the results of an investigation into mysterious fileless attacks against banks: criminals were using in-memory malware to infect banking networks. But why were they doing this? The ATMitch case has given us the whole picture.

The investigation started after the bank’s forensics specialists recovered and shared two files containing malware logs from the ATM's hard drive (kl.txt and logfile.txt) with Kaspersky Lab. These were the only files left after the attack: it was not possible to recover the malicious executables because after the robbery cybercriminals had wiped the malware. But even this tiny amount of data can be enough for Kaspersky Lab to run a successful investigation.

Erase / rewind

Within the log files, Kaspersky Lab experts were able to identify pieces of information in plain text that helped them to create a YARA rule for public malware repositories and to find a sample. YARA rules — basically search strings — help analysts to find, group, and categorize related malware samples and draw connections between them based on patterns of suspicious activity on systems or networks that share similarities.

After a day of waiting, experts found a wanted malware sample – "tv.dll", or ‘ATMitch’ as it was later dubbed. It was spotted in the wild twice: once from Kazakhstan, and once from Russia.

This malware is remotely installed and executed on an ATM from within the target bank: through the remote administration of ATM machines. After it’s installed and connected to the ATM, the ATMitch malware communicates with the ATM as if it is legitimate software. It makes it possible for attackers to conduct a list of commands – such as collecting information about the number of banknotes in the ATM’s cassettes. What’s more; it provides criminals with the ability to dispense money at any time, at the touch of a button.

Usually criminals start by getting information on the amount of money a dispenser has. After that, a criminal can send a command to dispense any number of banknotes from any cassette. After withdrawing money in this curious way, criminals only need to grab the money and go. An ATM robbery like this takes just seconds!

Once an ATM is robbed, the malware deletes its traces.

ATMitch

Who’s there?

It is still not known who is behind the attacks. The use of open source exploit code, common Windows utilities and unknown domains during the first stage of the operation makes it almost impossible to determine the group responsible. However, "tv.dll", used in the ATM stage of the attack contains a Russian language resource, and known groups that could fit into this profile are GCMAN and Carbanak.

“The attackers may still be active. But don’t panic! Combatting these kinds of attacks requires a specific set of skills from the security specialist guarding the targeted organization. The successful breach and exfiltration of data from a network can only be conducted with common and legitimate tools; after the attack, criminals may wipe all the data that could lead to their detection leaving no traces, nothing. To address these issues, memory forensics is becoming critical to the analysis of malware and its functions. And as our case proves, a carefully directed incident response can help solve even the perfectly prepared cybercrime,” said Sergey Golovanov, Principal Security Researcher at Kaspersky Lab.

Kaspersky Lab products successfully detect operations using the above tactics, techniques and procedures. Further information on this story and Yara rules for forensic analysis of the fileless attacks can be found in the blog on Securelist.com. Technical details, including Indicators of Compromise were also provided to customers of Kaspersky Intelligence Services.

Double Attack: What Are Fileless Banking Attackers Really After?

Kaspersky Lab experts reconstruct an ATMitch case – and discover a mysterious way to cash out with ATMs
Kaspersky logo

Kaspersky について

Kasperskyは1997年に設立された、グローバルなサイバーセキュリティおよびデジタルプライバシーの企業です。これまでに10億台以上のデバイスを新たなサイバー脅威や標的型攻撃から保護しています。深い脅威インテリジェンスとセキュリティの専門知識を生かし、革新性に富んだセキュリティソリューションやサービスを提供することで、世界中の企業、重要インフラ、政府機関、そして個人のお客様を守っています。当社の包括的なセキュリティポートフォリオには、業界をリードするエンドポイント保護製品、専門的なセキュリティ製品とサービス、そして高度なデジタル脅威に対抗するためのサイバーイミューン(Cyber Immune)ソリューションが含まれます。当社は22万社を超える法人のお客様の重要な資産を守る力になっています。詳しくはwww.kaspersky.co.jpをご覧ください。

関連記事 ウイルスニュース