Malware targeting ATMs is always interesting to read about since the criminals behind these campaigns may often employ different techniques to monetize their operations. The ATM malware up for today’s review is called ‘ATMitch,’ and it has already been used in a campaign targeting a Russian bank in 2017. The way the operators of the ATMitch carried out their attack may raise serious concerns about the security policies of some financial institutions – apparently, the ATMitch was deployed via an unsupervised Remote Desktop Connection to a bank computer linked to the network servicing ATMs manually.
The ATMitch operates by manipulating the Extension for Financial Services (XFS) API – a toolkit used by thousands of ATMs around the world. The XFS API is responsible for all ATM communications such as the cash dispenser and PIN pad. By manipulating these communications via the ATMitch malware, the attackers could command selected ATMs to dispense their cash at a time convenient for the attackers.
It is still not clear how the attackers manage to open a remote desktop connection to the systems linked to ATM Machines. Once a remote connection is established, the attackers transfer the ATMitch executable and launch it manually – this displays a command prompt window that contains information about the operation and informs the attacker if the attack has been completed successfully. Instead of using a Command & Control server, the ATMitch operates via a ‘comman.txt’ file, which is stored in the ‘C:\intel\’ directory of the infected host. Upon executing a command from there, the malware will write its actions to a local log file.
Bank cyber heists are becoming a regular occurrence, and attacks like this are certain to motivate companies to employ harsher cybersecurity policies and use advanced enterprise security solutions.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to ATMitch may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.