Newly discovered ATMitch malware sample found to be active in the wild since 2017

• The malware sample is executed using a file named ‘tester.exe’.
• The malware may have been a part of a 2016 advanced cyber-espionage campaign targeting a Russian bank.

Researchers have spotted a new malware sample that is said to be active since 2017. It is believed that the malware may have been a part of a 2016 advanced cyber-espionage campaign targeting a Russian bank.

How does it propagate?

The malware sample is executed using a file named ‘tester.exe’. According to the researchers from Yoroi-Cybaze ZLab, the custom loader helps the malicious payload to take control of the target machine.

“When started, the executable creates a new folder on 'C:\intel' and then starts inspecting all the running processes. It looks for a really particular one: 'fwmain32.exe'. This lookup reveals how deeply environmental aware is this implant. In fact, the 'fwmain32' process is part of the software services produced by Wincor Nixdorf International GmbH, one of the major vendors providing retail and banking hardware such as ATMs,” the researchers explained in a blog post.

How does the attack occur?

Following are the steps by which the attack is launched using the malware:

• The attacker first connects to the target ATM machine using Remote Desktop;
• Once connected, it allows the attacker to transfer and run the loader EXE. The loader prompts the window which shows if everything went well;
• The attacker later deletes the initial file in order to remove tracks;
• The malicious command is written in the appropriate file;
• The malware executes the new commands and writes in the log file;
• The attacker examines the log file to know the state of the command execution.

What are the capabilities?

The capabilities of ATMitch are:

• It can read commands from a file included into “c:\intel” folder;
• It can interact with the ATM drivers to retrieve information about the current amount and the dispensed amount;
• It can initiate communication between the PINPad and Dispenser components using ‘msxfs.dll’ library.