ATMitch

Malware targeting ATMs is always interesting to read about since the criminals behind these campaigns may often employ different techniques to monetize their operations. The ATM malware up for today’s review is called ‘ATMitch,’ and it has already been used in a campaign targeting a Russian bank in 2017. The way the operators of the ATMitch carried out their attack may raise serious concerns about the security policies of some financial institutions – apparently, the ATMitch was deployed via an unsupervised Remote Desktop Connection to a bank computer linked to the network servicing ATMs manually.

The ATMitch operates by manipulating the Extension for Financial Services (XFS) API – a toolkit used by thousands of ATMs around the world. The XFS API is responsible for all ATM communications such as the cash dispenser and PIN pad. By manipulating these communications via the ATMitch malware, the attackers could command selected ATMs to dispense their cash at a time convenient for the attackers.

It is still not clear how the attackers manage to open a remote desktop connection to the systems linked to ATM Machines. Once a remote connection is established, the attackers transfer the ATMitch executable and launch it manually – this displays a command prompt window that contains information about the operation and informs the attacker if the attack has been completed successfully. Instead of using a Command & Control server, the ATMitch operates via a ‘comman.txt’ file, which is stored in the ‘C:\intel\’ directory of the infected host. Upon executing a command from there, the malware will write its actions to a local log file.

Bank cyber heists are becoming a regular occurrence, and attacks like this are certain to motivate companies to employ harsher cybersecurity policies and use advanced enterprise security solutions.