Hackers stole $800,000 from ATMs using Fileless Malware

Monday, April 03, 2017 Swati Khandelwal
8236 1984 1016 11.4K
atm-fileless-malware
Hackers targeted at least 8 ATMs in Russia and stole $800,000 in a single night, but the method used by the intruders remained a complete mystery

with CCTV footage just showing a lone culprit walking up to the ATM and collecting cash without even touching the machine.
Even the affected banks could not find any trace of malware on its ATMs or backend network or any sign of an intrusion. The only clue the unnamed

bank's specialists found from the ATM's hard drive was — two files containing malware logs.
The log files included the two process strings containing the phrases: "Take the Money Bitch!" and "Dispense Success."
This small clue was enough for the researchers from the Russian security firm Kaspersky, who have been investigating the ATM heists, to find

malware samples related to the ATM attack.
In February, Kaspersky Labs reported that attackers managed to hit over 140 enterprises, including banks, telecoms, and government organizations,

in the US, Europe and elsewhere with the 'Fileless malware,' but provided few details about the attacks.
According to the researchers, the attacks against banks were carried out using a Fileless malware that resides solely in the memory (RAM) of the

infected ATMs, rather than on the hard drive.
Now during the Kaspersky Security Analyst Summit in St. Maarten on Monday, security researchers Sergey Golovanov and Igor Soumenkov delved into

the ATM hacks that targeted two Russian banks, describing how the attackers used the fileless malware to gain a strong foothold into bank's

systems and cash out, ThreatPost reports.
Mysterious ATM Hack Uncovered by Researchers
kaspersky-fileless-malware
Dubbed ATMitch, the malware — previously spotted in the wild in Kazakhstan and Russia — is remotely installed and executed on ATMs via its remote

administration module, which gives hackers the ability to form an SSH tunnel, deploy the malware, and then sending the command to the ATM to

dispense cash.
Since Fileless malware uses the existing legitimate tools on a machine so that no malware gets installed on the system, the ATM treats the

malicious code as legitimate software, allowing remote operators to send the command at the time when their associates are present on the

infected ATM to pick up the money.
This ATM theft takes just a few seconds to be completed without the operator physically going near the machine. Once the ATM has been emptied,

the operator 'signs off,' leaving a very little trace, if any, of the malware.
However, this remote attack is possible only if an attacker tunnels in through the bank's back-end network, a process which required far more

sophisticated network intrusion skills.
A Very Precise Form of Physical Penetration
Since opening the ATM's panel directly could also trigger an alarm, attackers switched to a very precise form of physical penetration: Drilling a

golf-ball sized hole in ATM's front panel to gain direct access to the cash dispenser panel using a serial distributed control (SDC RS485

standard) wire.
This method was revealed when Golovanov and Soumenkov were able to reverse engineer the ATM attack after police arrested a man dressed as a

construction worker while he was drilling into an ATM to inject malicious commands in the middle of the day to trigger the machine’s cash

dispenser.
The suspect was arrested with a laptop, cables, and a small box. Although the researchers did not name the affected ATM manufacturer or the

banks, they warn that ATM burglars have already used the ATM drill attack across Russia and Europe.
In fact, this technique also affects ATMs around the world, leaving them vulnerable to having their cash drawn out in a matter of minutes.
Currently, the group or country behind these ATM hacks is unknown, but coding present in the attack contains references to the Russian language,

and the tactics, techniques, and procedures bear a resemblance to those used by bank-robbing gangs Carbanak and GCMAN.
Fileless malware attacks are becoming more frequent. Just last month, researchers found a new fileless malware, dubbed DNSMessenger, that uses

DNS queries to conduct malicious PowerShell commands on compromised computers, making the malware difficult to detect.
Swati - Hacking News
Swati Khandelwal
Technical Writer, Security Blogger and IT Analyst. She is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related

developments.
Best Deals Gadgets, Software, Trainings
96% OFF
The Super-Sized Ethical Hacking Bundle
BUY NOW $43.00
The Super-Sized Ethical Hacking Bundle 97% OFF
Ethical Hacking A to Z Bundle
BUY NOW $39.00
Ethical Hacking A to Z Bundle 100% OFF
Pay What You Want: White Hat Hacker 2016 Bundle
BUY NOW $1.00
Pay What You Want: White Hat Hacker 2016 Bundle
Latest Stories

THN Weekly Roundup — 10 Most Important Stories You Shouldn't Miss
Here we are with our weekly roundup, briefing this week's top cyber security threats, incidents and challenges. This week has ...

Dark Web Users Suspect "Dream Market" Has Also Been Backdoored by Feds
By now you might be aware of the took down of two of the largest online dark websites—AlphaBay and Hansa—in what's being called...

How Microsoft Cleverly Cracks Down On "Fancy Bear" Hacking Group
What could be the best way to take over and disrupt cyber espionage campaigns? Hacking them back? Probably not. At least not whe...

Tor Launches Bug Bounty Program — Get Paid for Hacking!
With the growing number of cyber attacks and breaches, a significant number of companies and organisations have started Bug Bou...

Feds Seize AlphaBay and Hansa Markets in Major Dark-Web Bust
It's finally confirmed — In a coordinated International operation, Europol along with FBI, DEA (Drug Enforcement Agency) and Dutch...
Comments (6)

ransomware-protection
POPULAR STORIES
Hacker Uses A Simple Trick to Steal $7 Million Worth of Ethereum Within 3 Minutes
Hacker Uses A Simple Trick to Steal $7 Million Worth of Ethereum Within 3 Minutes
Feds Seize AlphaBay and Hansa Markets in Major Dark-Web Bust
Feds Seize AlphaBay and Hansa Markets in Major Dark-Web Bust
Hackers Stole $32 Million in Ethereum; 3rd Heist in 20 Days
Hackers Stole $32 Million in Ethereum; 3rd Heist in 20 Days
Learn Ethical Hacking Online: A to Z Training Courses
Learn Ethical Hacking Online: A to Z Training Courses
(New) Become A Professional Hacker — 9 Online Training Courses
(New) Become A Professional Hacker — 9 Online Training Courses
Dark Web Users Suspect "Dream Market" Has Also Been Backdoored by Feds
Dark Web Users Suspect "Dream Market" Has Also Been Backdoored by Feds
How Microsoft Cleverly Cracks Down On "Fancy Bear" Hacking Group
How Microsoft Cleverly Cracks Down On "Fancy Bear" Hacking Group
New Linux Malware Exploits SambaCry Flaw to Silently Backdoor NAS Devices
New Linux Malware Exploits SambaCry Flaw to Silently Backdoor NAS Devices
Critical RCE Vulnerability Found in Cisco WebEx Extensions, Again — Patch Now!
Critical RCE Vulnerability Found in Cisco WebEx Extensions, Again — Patch Now!
Remotely Exploitable Flaw Puts Millions of Internet-Connected Devices at Risk
Remotely Exploitable Flaw Puts Millions of Internet-Connected Devices at Risk
Windows 10 Will Now Let You Reset Forgotten Password Directly From the Lock Screen
Windows 10 Will Now Let You Reset Forgotten Password Directly From the Lock Screen