Monday, 1 May 2017

Hacker Stolen $800,00 from Russian ATMS Without even!

The method was a complete mystery, and the only clues left behind were files containing a single line of English text: "Take the money, bitch."

In total 8 ATM's were Hacked of 2 Russian banks last year. And still the banks might not have known if the Hack would have not been revealed by Security Analysts.

It was fast and furious, and if not for the surveillance cameras that captured the heist in action, two banks in Russia would never have known what occurred last year when eight of their ATMs were drained of cash—nearly a million dollars worth of rubles in a single night.

Mysterious ATM Hack Uncovered by Security Analysts

Click to view full size image

Dubbed ATMitch, the malware — previously spotted in the wild in Kazakhstan and Russia — is remotely installed and executed on ATMs via its remote administration module, which gives hackers the ability to form an SSH tunnel, deploy the malware, and then sending the command to the ATM to dispense cash.

Since Fileless malware uses the existing legitimate tools on a machine so that no malware gets installed on the system, the ATM treats the malicious code as legitimate software, allowing remote operators to send the command at the time when their associates are present on the infected ATM to pick up the money.

This ATM theft takes just a few seconds to be completed without the operator physically going near the machine. Once the ATM has been emptied, the operator 'signs off,' leaving a very little trace, if any, of the malware.

However, this remote attack is possible only if an attacker tunnels in through the bank's back-end network, a process which required far more sophisticated network intrusion skills.

How this malware worked?

Golovanov told Motherboard in an interview before the conference that when he and his colleagues examined the two log files containing the English text, they laughed at the boldness. The heist worked in three stages, with the first two using commands that instructed the ATM to withdraw the bills stored in cassettes and place them in line to be dispensed, and the third stage using a command that opened the mouth of the ATM. It was at this point that the command, "Take the money bitch," appeared in the log file, and possibly on the ATM's screen as well to signal the money mule to grab the bills and go.

The log files made it obvious that the bank had been hacked, but the researchers needed samples of the missing malware that had been on the machines to see how the robbers had pulled it off. So Golovanov and his team created a YARA rule for the line of English text they found in the logs - YARA is a tool that lets researchers sift through a lot of files and networks using a search string—and used it to search files submitted to.

VirusTotal is a website that aggregates dozens of antivirus programs in one spot. Security researchers and others can submit suspicious files to the site to see if any of the programs detect them as malicious. Golovanov's team found a match with two files that someone had uploaded from Russia and Kazakhstan.

They reverse-engineered the code and dug through the bank's network to reconstruct how the attack occurred, discovering that the hackers built extensive digital tunnels throughout the bank's network, which they used to issue PowerShell commands to the ATMs. This allowed the attackers to control the machines in real-time when the money mule was present.

"It could be just one person or two persons [doing this]," Golovanov says, noting that the CCTV images seemed to show the same person extracting money from all the ATMs.

Golovanov says that tracking fileless attacks is difficult but not impossible.
"To address these issues, memory forensics is becoming critical to the analysis of malware and its functions," he noted in a statement released by Kaspersky. "And as our case proves, a carefully directed incident response can help solve even the perfectly prepared cybercrime."

No comments:

Post a Comment