Kaspersky has analysed the ATMitch malware in detail and found that this particular malware empties ATMs without leaving behind any trace.
Employees of a bank in Russia were completely baffled when an empty ATM was found with no traces of break-in. Investigation of the incident led Kaspersky experts to a sophisticated malware. This malware carried out the attack against the ‘‘fileless” bank network, thus leaving no files behind. In the first step, this malware settles in the network of the banks and deletes all its traces, making detection extremely difficult. The second step starts as soon as the criminals have sound access to the network. Named ‘‘ATMitch”, the malware will spread in ATMs, then searches for the ‘‘command.txt” configuration file in the machine to take control over it. The malware can use this file to read out the individual slots of respective ATM and check how much money is available in which slot.
Criminals would then only need to stand in front of the infected machine,enter the command for ejecting the content and walk away with the money. ATMitch subsequently deletes all traces of access by clearing up the log files. Digital attack routes for ATMs have been known for quite some time and the major innovation is the use of fileless malware. This type of malware refrains from using separate files, but instead uses different functions of the operating system, such as Windows Power Shell. It thus avoids classic scanners that search for suspicious programmes. Currently, the person or organisation behind the attacks is unknown, but according to Kaspersky, ATMs in Russia and Kazakhstan have been affected. However, that doesn’t necessarily narrow down the scope of investigation, because ATMitch uses a standard function for the attacks, so further attacks in other countries are definitely possible.