How Hackers are emptying ATMs

At this year’s Security Analyst Summit in St Maarten, Kaspersky researcher Igor Soumenkov has presented how hackers are using a combination of low tech and high tech techniques to empty out ATMs in Europe and Russia.  According to the article at Bleeping Computer, these attacks first started last year, when several banks discovered empty ATMs with a small hole drilled into the side.  From the article,



After calling Kaspersky experts to investigate, it became apparent that no malware had been used in the attacks, yet no one could explain how the attackers forced the ATM to dispense all its bills.


Only when taking a closer look at the drilled hole did researchers understand what happened. The hole’s position was crucial to unraveling the attack.


ATM thieves had drilled a small hole, wide of about 4 centimeters (1.5 inches), on the side of the ATM’s PIN (numbers) pad. After dismantling a similar ATM in their laboratory, Kasperksy researchers realized this hole was right near a crucial ATM component, a 10-pin header.


According to this article, this 10-pin header actually connected straight to the main bus that interconnects all the other ATM components.  The rig to connect to the ATM only cost about $15 in off the shelf parts and a laptop to send commands to the ATM, at which point, it would dispense it’s cash.


At this same conference Kaspersky also:



On Monday, at the same conference, Kaspersky researchers revealed ATMitch, a new attack on ATMs that relies on crooks hijacking a bank’s ATM backend network and installing self-deleting malware on ATMs via RDP connections.

The article on ATMitch presents :



Security researchers have uncovered one of the most sophisticated ATM heists to date, involving a group of cyber criminals specialized in hacking bank networks using fileless malware, and ATM malware that spits out cash and then self-deletes.


These ATM heists are the work of a group of hackers that’s been active for years. Most recently, starting 2016, this group has switched to using legitimate Windows apps and fileless malware to hack into government agencies and banks in at least 40 countries.


Because those attacks used stealthy techniques that left a minimal footprint on infected servers, investigators weren’t able to detect what the crooks were after. Nevertheless, they suspected the hackers stole data from infected systems, albeit they didn’t know what data.

Below is a flow chart from Bleeping Computers showing how the ATMitch system works:



The genius part of this that makes it hard to deal with is that the malware self deletes once the attack ends, fairly much erasing the evidence.  According to the article, this was discoverd:



It was only by accident that on one ATM the malware left behind a file named “tv.dll.” After further digging around, researchers were able to discover how the malware worked and traced it back to banks compromised by the same group they uncovered this past February.


Right now, researchers tracked down only two incidents with ATMitch, to a bank in Russia and one in Kazakhstan, but they believe that many more have also taken place.


The only problem is that detecting either the hacked bank or the hacked ATM is almost impossible as most of the malicious behavior takes place via self-deleting malware and malicious PowerShell scripts executing in memory, without leaving any artifacts on disk. Once the bank server/computer or the AMT is rebooted, most of the clues are wiped from memory.


ATMitch is not the first ATM malware strain that works by forcing ATMs to empty their cash dispensers. Other strains are GreenDispenser, and recent versions of the Alice and Ploutus ATM malware.


I would expect several banks to begin doing some retrofitting of their systems hardware and software in the near future to try and do away with these vulnerabilities.


Leave a Reply

Your email address will not be published. Required fields are marked *