Q
Problem solve Get help with specific problems with your technologies, process and projects.

ATMitch malware: Can fileless ATM malware be stopped?

How was the ATMitch malware able to loot cash machines, then delete itself? Expert Nick Lewis explains how the fileless malware works and how it spreads.

A new type of fileless ATM malware known as ATMitch was discovered by Kaspersky Lab researchers and enabled attackers...

to make illegal withdrawals, and then deleted itself. But how did Kaspersky discover this ATMitch malware? How do the attackers distribute it?

High-security environments typically enforce more stringent security requirements than general usage systems. Even within different types of high-security environments, like those found in banks, different levels of security are needed based on the functionality of a device. A standard desktop computer at a bank must be secure, but it still also needs to be generally functional for day-to-day employee use.

ATM functionality, on the other hand, should be limited to ATM tasks, like withdrawals or deposits, accessed only through the limited ATM interface. Banks can minimize this part of the attack surface of the ATM by limiting what functions are offered through the ATM interface.

While the ATM interface is the most visible aspect of ATM security, ATMs need multiple levels of security to protect against physical and network attacks. Physical security is generally limited by cost, while network security is limited by cost and the need to be remotely manageable.

Sergey Golovanov and Igor Soumenkov, principal security researchers at Kaspersky Lab, wrote about attacks on ATMs that used the ATMitch malware. The attacks used methods that appeared to be similar to tactics used by the advanced persistent threat groups GCMAN and Carbanak.

The ATMitch malware was discovered after Kaspersky Lab was called in by a client in the banking industry to investigate a piece of malware. This could have been as simple as submitting a sample of a potentially suspicious binary via the endpoint protection software to see if the vendor detected any malware, or the bank could have reached out to Kaspersky requesting additional analysis.

The first stage of the ATMitch malware attacks described by Kaspersky relies on gaining access to bank systems, and then using open source or other publicly available utilities to take control of the system and attack other ATMs. Because it runs in memory, the fileless malware disappears after an infected system is rebooted.

Kaspersky reported that a domain controller was also involved in the attack, which could have been part of the method the attackers used to distribute the malware to targeted ATMs, though they also reported that attackers physically attacked ATMs, drilling a hole into the devices in order to execute the commands needed to activate the ATMitch malware and withdraw cash.

It is unclear if the domain controller was limited to just managing ATMs or if it was used across the entire bank, but it seems likely that banks would have completely separate management infrastructures for managing ATMs and managing their general use endpoints. The logs might be correlated between the different environments to detect any suspicious behavior, but remote access to ATMs seems like it should be more limited than access to supporting general use endpoints.

Next Steps

Learn about how the GreenDispenser self-deleting malware works

Dig deeper into antimalware tools and techniques for security pros

Read how Rakos malware attacks embedded Linux systems

This was last published in August 2017

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What should banks be doing to protect against ATM malware?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close