Hackers are using self-deleting malware to empty cash machines all over the world, according to experts from Kaspersky Lab.
During the Russian anti-virus firm’s Security Analyst Summit in St Maarten this week, Sergey Golovanov and Igor Soumenkov explained how cyber crime gangs are deploying a malicious program dubbed ATMitch that allows them to steal money from cash dispensers while leaving almost no trace of their activities.
Kaspersky was called in to help by a Russian bank after its forensics specialists discovered two files on the institution’s system containing malware logs.
The bank had been targeted in an attack in which €750,000 had been stolen from its ATMs in a single night. The only evidence the institution had was CCTV images of a lone individual walking up to the machines and taking banknotes that were being dispensed automatically.
While there was no sign of malicious executables on the bank’s systems that might have facilitated such an attack, Kaspersky analysts were able to establish that a virus had been remotely installed and executed, allowing hackers access to the ATMs.
As well as providing information on how many notes are contained in an ATM’s cassettes, the program allows cyber criminals to force cash machines to start dispensing money at the touch of a button.
Once the program has been successfully installed on a bank’s systems, hackers can commit an ATM robbery in a matter of seconds. The malware then deletes itself after an institution’s machines have been emptied, leaving next to no evidence of its presence.
Kaspersky said it is impossible to establish which cyber crime organisation is behind the malware, but noted that one of the files left behind after the malware deleted itself contained information in Russian.
“The attackers may still be active, but don’t panic,” said Golovanov, Principal Security Researcher at Kaspersky.
“Combatting these kinds of attacks requires a specific set of skills from the security specialist guarding the targeted organisation.
“The successful breach and exfiltration of data from a network can only be conducted with common and legitimate tools; after the attack, criminals may wipe all the data that could lead to their detection leaving no traces, nothing.
“To address these issues, memory forensics is becoming critical to the analysis of malware and its functions. And as our case proves, a carefully directed incident response can help solve even the perfectly prepared cyber crime.”
Kaspersky first reported the malware in February, when it revealed over 140 banks had been affected by the virus in 40 countries. As well as institutions in Spain, the UK and France, banks in the US, Kenya and Brazil have been hit by the criminals behind the malware.