Hackers breached banks to make ATMs spit out cash

Kaspersky provides more details about ATMs that enabled criminals to take control of the the machine to empty it of cash

A group of cyber criminals hacked into bank networks and used ATM malware that spits out cash and then self-destructs.

Last month, Kaspersky Lab alleged that a group of hackers had used Windows apps and fileless malware to hack into banks and government agencies in at least 40 countries.

But as the techniques they used were sophisticated, investigators struggled to determine the reason the for hacks, assuming that they were looking to steal data from the systems.

Now, researchers at Kaspersky Lab believe they know the reason for the bank hacks, thanks to two files containing malware logs they got from the compromised ATM hard drives – the only files left after the attack.

After analysing the files, security specialists found the wanted malware sample ‘tv.dll’ or ‘ATMitch’ spotted twice: once from Kazakhstan and once from Russia.

At Kaspersky’s Security Analyst Summit this week, the company said that criminals broke into the networks of banks by using a number of different exploits. They used legitimate and reputable applications, including Windows tools, while they used PowerShell-based malware to help them gain access to nearby systems.

Their target was the system that manages the bank’s ATM network – and they used the system’s Remote Desktop Protocol (RDP) feature to connect to the ATMs, ATMitch onto them.

The malware communicates with the ATM as if it is legitimate software, and enables the attackers to use a list of commands, such as collecting information about the number of banknotes in the ATM’s cassettes. One of the commands include the ability to make the ATM dispense money at any time at the touch of a button.

The hackers start by retrieving information on the amount of money a dispenser has. After that, a criminal can send a command to dispense any number of banknotes from any cassette. Once the criminal has taken the money from the ATM, the malware deletes itself.

Kaspersky Lab said it still doesn’t know who was behind the attacks, arguing that the use of open source exploit code, common Windows utilities and unknown domains during the first stage of the operation, makes it almost impossible to determine the group responsible.

However, the ‘tv.dll’ malware contains a Russian language resource, and researchers said known hacking groups that could fit into this profile include GCMAN and Carbanak.

Vulnerabilities in ATMs are increasingly being targeted by cyber criminals; in August last year, Weston Hecker, a senior security consultant at security company Rapid7 found that it was possible to milk $50,000 from a ‘next-generation’ ATM in 15 minutes because of flaws in chip-and-pin card infrastructure.

Meanwhile the Government Savings Bank of Thailand was hit by a 12 million baht (£265,000) ATM fraud last year, just a month after the theft of $2.2m from ATMs in Taiwan.

Wincor Nixdorf ATMs were shut down entirely in Taiwan because of a string of thefts, which it suspected was down to a specialist form of malware.


Leave a Reply