Hacker Stolen $800,00 from Russian ATMS Without even Touching....it!

The method was a complete mystery, and the only clues left behind were files containing a single line of English text: "Take the money, bitch."

In total 8 ATM's were Hacked of 2 Russian banks last year. And still the banks might not have known if the Hack would have not been revealed by Security Analysts.

It was fast and furious, and if not for the surveillance cameras that captured the heist in action, two banks in Russia would never have known what occurred last year when eight of their ATMs were drained of cash—nearly a million dollars worth of rubles in a single night.

Hackers targeted at least 8 ATMs in Russia and stole $800,000 in a single night, but the method used by the intruders remained a complete mystery with CCTV footage just showing a lone culprit walking up to the ATM and collecting cash without even touching the machine.

When one of the banks contacted the Russian cybersecurity firm Kaspersky Lab to investigate, the only evidence was CCTV recordings showing a lone culprit walking up to the ATMs and, without even touching the machines, grabbing thick stacks of bills—about $100,000 worth of cash from each machine, dispensed 40 bills at a time—as they magically spit out. It took less than 20 minutes to clean one machine dry before the money mule moved on to other ATMs in the city and replayed the scene.

Even the affected banks could not find any trace of malware on its ATMs or backend network or any sign of an intrusion. The only clue the unnamed bank's specialists found from the ATM's hard drive was — two files containing malware logs. 

The log files included the two process strings containing the phrases: "Take the Money Bitch!" and "Dispense Success."

"Our theory is that during the uninstall [of the malware], something went wrong with the malware and that's why the [log] files were left," says Sergey Golovanov, principal security researcher with Kaspersky in Russia, who investigated the heists. 

This small clue was enough for the researchers from the Russian security firm Kaspersky, who have been investigating the ATM heists, to find malware samples related to the ATM attack.

Earlier this year - in February, Kaspersky reported that a rash of invisible "fileless" attacks had targeted more than 140 banks and other targets in Europe, the US and elsewhere, but provided few details about the victims or the degree to which the attacks succeeded.

Fileless malware attacks use the existing legitimate tools on a machine so that no malware gets installed on the system, or they use malware that resides only in the infected machine's random-access-memory, rather than on the hard drive, so that the malware leaves no discernible footprint once it's gone.

The two Russian banks that got robbed in that single night were victims of a fileless attack, and on 4th April, 2017 at Kaspersky's Security Analyst Summit on the island of St. Maartens, Golovanov revealed the story behind the attacks.

Mysterious ATM Hack Uncovered by Security Analysts

Click to view full size image

Dubbed ATMitch, the malware — previously spotted in the wild in Kazakhstan and Russia — is remotely installed and executed on ATMs via its remote administration module, which gives hackers the ability to form an SSH tunnel, deploy the malware, and then sending the command to the ATM to dispense cash.

Since Fileless malware uses the existing legitimate tools on a machine so that no malware gets installed on the system, the ATM treats the malicious code as legitimate software, allowing remote operators to send the command at the time when their associates are present on the infected ATM to pick up the money.

This ATM theft takes just a few seconds to be completed without the operator physically going near the machine. Once the ATM has been emptied, the operator 'signs off,' leaving a very little trace, if any, of the malware.

However, this remote attack is possible only if an attacker tunnels in through the bank's back-end network, a process which required far more sophisticated network intrusion skills.

How this malware worked?

Golovanov told Motherboard in an interview before the conference that when he and his colleagues examined the two log files containing the English text, they laughed at the boldness. The heist worked in three stages, with the first two using commands that instructed the ATM to withdraw the bills stored in cassettes and place them in line to be dispensed, and the third stage using a command that opened the mouth of the ATM. It was at this point that the command, "Take the money bitch," appeared in the log file, and possibly on the ATM's screen as well to signal the money mule to grab the bills and go.

Since opening the ATM's panel directly could also trigger an alarm, attackers switched to a very precise form of physical penetration: Drilling a golf-ball sized hole in ATM's front panel to gain direct access to the cash dispenser panel using a serial distributed control (SDC RS485 standard) wire.

This method was revealed when Golovanov and Soumenkov were able to reverse engineer the ATM attack after police arrested a man dressed as a construction worker while he was drilling into an ATM to inject malicious commands in the middle of the day to trigger the machine’s cash dispenser.

Currently, the group or country behind these ATM hacks is unknown, but coding present in the attack contains references to the Russian language, and the tactics, techniques, and procedures bear a resemblance to those used by bank-robbing gangs Carbanak and GCMAN.

The Research work done till now..!

The log files made it obvious that the bank had been hacked, but the researchers needed samples of the missing malware that had been on the machines to see how the robbers had pulled it off. So Golovanov and his team created a YARA rule for the line of English text they found in the logs - YARA is a tool that lets researchers sift through a lot of files and networks using a search string—and used it to search files submitted to.

VirusTotal is a website that aggregates dozens of antivirus programs in one spot. Security researchers and others can submit suspicious files to the site to see if any of the programs detect them as malicious. Golovanov's team found a match with two files that someone had uploaded from Russia and Kazakhstan.

They reverse-engineered the code and dug through the bank's network to reconstruct how the attack occurred, discovering that the hackers built extensive digital tunnels throughout the bank's network, which they used to issue PowerShell commands to the ATMs. This allowed the attackers to control the machines in real-time when the money mule was present.

"It could be just one person or two persons [doing this]," Golovanov says, noting that the CCTV images seemed to show the same person extracting money from all the ATMs.

Golovanov says that tracking fileless attacks is difficult but not impossible.
"To address these issues, memory forensics is becoming critical to the analysis of malware and its functions," he noted in a statement released by Kaspersky. "And as our case proves, a carefully directed incident response can help solve even the perfectly prepared cybercrime."

Fileless malware attacks are becoming more frequent. Just last month, researchers found a new fileless malware, dubbed DNSMessenger, that uses DNS queries to conduct malicious PowerShell commands on compromised computers, making the malware difficult to detect.