ATMitch malware: Can fileless ATM malware be stopped?

A new type of fileless ATM malware known as ATMitch was discovered by Kaspersky Lab researchers and enabled attackers to make illegal withdrawals, and then deleted itself. But how did Kaspersky discover this ATMitch malware? How do the attackers distribute it?

High-security environments typically enforce more stringent security requirements than general usage systems. Even within different types of high-security environments, like those found in banks, different levels of security are needed based on the functionality of a device. A standard desktop computer at a bank must be secure, but it still also needs to be generally functional for day-to-day employee use.

ATM functionality, on the other hand, should be limited to ATM tasks, like withdrawals or deposits, accessed only through the limited ATM interface. Banks can minimize this part of the attack surface of the ATM by limiting what functions are offered through the ATM interface.

While the ATM interface is the most visible aspect of ATM security, ATMs need multiple levels of security to protect against physical and network attacks. Physical security is generally limited by cost, while network security is limited by cost and the need to be remotely manageable.

Sergey Golovanov and Igor Soumenkov, principal security researchers at Kaspersky Lab, wrote about attacks on ATMs that used the ATMitch malware. The attacks used methods that appeared to be similar to tactics used by the advanced persistent threat groups GCMAN and Carbanak.

The ATMitch malware was discovered after Kaspersky Lab was called in by a client in the banking industry to investigate a piece of malware. This could have been as simple as submitting a sample of a potentially suspicious binary via the endpoint protection software to see if the vendor detected any malware, or the bank could have reached out to Kaspersky requesting additional analysis.

The first stage of the ATMitch malware attacks described by Kaspersky relies on gaining access to bank systems, and then using open source or other publicly available utilities to take control of the system and attack other ATMs. Because it runs in memory, the fileless malware disappears after an infected system is rebooted.

Kaspersky reported that a domain controller was also involved in the attack, which could have been part of the method the attackers used to distribute the malware to targeted ATMs, though they also reported that attackers physically attacked ATMs, drilling a hole into the devices in order to execute the commands needed to activate the ATMitch malware and withdraw cash.

It is unclear if the domain controller was limited to just managing ATMs or if it was used across the entire bank, but it seems likely that banks would have completely separate management infrastructures for managing ATMs and managing their general use endpoints. The logs might be correlated between the different environments to detect any suspicious behavior, but remote access to ATMs seems like it should be more limited than access to supporting general use endpoints.