Two Russian banks were compromised by fileless malware which allowed hackers to grab 800,000 dollars worth in rubles just in one night. The banks only noticed that something happened because of surveillance cameras.
So how exactly did that happen? This kind of fileless malware uses legitimate tools on ATM machines so no malware is actually installed on the system. Besides that hackers use malware which infects only the RAM and not the hard drive. When the virus is deleted, very little evidence of its presence is left.
Kaspersky’s principal security researchers Sergey Golovanov and Igor Soumenkov discussed this attack during the firm’s Security Analyst Summit.
The malware spit around 40 banknotes at a time and an unaccompanied man walked to eight ATMs without touching any of them and grabbed near 100,000 dollars from every machine. It took him less than 20 minutes to empty each ATM before he moved on to the next. The CCTV record was the only proof.
Just one clue was left – two logs that recorded what happened with the machines before the money was stolen. The log files included a single line in English – “Take the money, bitch”. Golovanov said, that when he and his colleagues saw that text, they were amused by its nerve.
Currently Kaspersky speculates that these files were left in the system because of some error during the malware’s deletion and that this line presumably showed up on the ATM’s screen too, telling the money mule to start pocketing bills.
The logs clearly demonstrated that the hack occurred, but the samples of the disappeared malware were needed to tell how the robbers had managed it. So Golovanov’s team created a YARA rule for the “Bitch” line —YARA is a tool that allows researchers to scan a huge amount of files using a set of strings —and used it to search the files they submitted.
VirusTotal is an aggregate site with plenty of antivirus programs in one place. It allowed Golovanov, Soumenkov and their team to find a sample “tv.dll” or, as the researchers call it, “ATMitch”, that was uploaded from Kazakhstan and Russia. They reverse-engineered the code and succeeded in reconstructing how the attack happened. It appears that the hackers created digital tunnels in the bank’s network, which were then used to direct PowerShell commands to the ATMs. That’s how the attackers could control the machines in real time during the presence of the money mule. The robbery happened in three stages. The first two of them used instructions for the ATMs to withdraw the bills from cassettes and prepare them for dispensation, and the third stage used a command that made the ATMs open their mouths.
So far the robbers weren’t arrested. Kaspersky theorizes that the criminals might have a connection to one of two already notorious bank hacker gangs GCMAN and Carbanak. The malware from the second stage, “tv.dll,” has a Russian language resource, which also fits the profile of those organizations.
“It could be just one person or two persons,” Golovanov claims. He also insists that tracking fileless virus attacks, while hard, is still possible.
As he noted in a Kaspersky’s statement, “To address these issues, memory forensics is becoming critical to the analysis of malware and its functions. And as our case proves, a carefully directed incident response can help solve even the perfectly prepared cybercrime.”
Such invisible malware attacks are happening more often. According to a Kaspersky report, more than 140 banks, government organizations and telecoms were subjected to these attacks. They occurred mostly in United Kingdom, USA and Ecuador, but also in Brazil, Spain, France, Turkey, Israel and Tunisia – overall 40 countries. The report gave little details about the victims or the amount of taken money.