“Disappearing Malware” Allowed Hackers Steal $800,000 Cash From Russian ATMs
Some Russian banks are having sleepless nights because of a series of robberies that happened in the strangest way possible. As seen on the CCTV footage, a guy walks up to an ATM, stands for 20 minutes and goes back with a handful of cash in Rubles (roughly $100,000). All of this was done without even touching the machine. A similar story was repeated at other ATMs across the city, totaling the amount to $800,000 in just one night.
The banks were completely unaware of how did the guys perform the attacks. They didn’t find any existence of malware on their backend network or the ATMs. The Russian security firm Kaspersky Labs was approached by one of the two affected banks.
The only digital traces of the attack were the two log files which the attackers might’ve left by mistake. The events that occurred on the machines were recorded in the log files. The logs also include a line of text written in English, “Take the money bitch.”
The story of the invisible malware
Earlier this year, Kaspersky Labs reported about invisible fileless malware attacks that affected around 140 banks in Europe, US, and other places. Such kind of malware resides in the random access memory of the devices, thus, reducing the chances of leaving any sign afterward.
Sergey Golovanov, a malware expert at Kaspersky Lab, who worked on the case says that the two log files might’ve been left while uninstalling the malware.
Golovanov and his team examined the two log files and concluded that the attack happened in three stages. First, the machine was commanded to withdraw cash from the cassettes and the second to put it on the dispensing tray. The third stage included the mouth of the ATM. The English text might’ve been logged at the same time and also as an indication on the screen for the guy.
However, that wasn’t enough; the researchers took the help of a tool called YARA to create malware samples using the English text in the log files. They successfully found the match of the malware on VirusTotal – an online malware analysis tool – with two files uploaded by someone from Russia and Kazakhstan.
The researchers analyzed the bank’s network. They were able to reverse engineer the code and reconstruct the attack process. The attackers had built a digital tunnel across the bank’s network which allowed them to execute Windows Powershell commands and control the ATMs in real-time.
Golovanov says that fileless attacks might be difficult to track but not impossible. They’ve linked the possible ties of the attackers with two already known bank hacker gangs. Until now, no arrests have been made.
If you have something to add, drop your thoughts and comments.