The publications are suspended, except for particular events, from 1 to 21 August. In the meantime, we are preparing some news for the second half of the year.
Yoroi-Cybaze: A cybercrime APT, possibly related to the same APT group Kaspersky Lab tracked two years ago, is using ATMitch to target banks. It could be the tip of the iceberg of a more complex and articulated attack
An APT, possibly related to the same group Kaspersky Lab tracked two years ago after the compromise of a Russian bank, is still using a particular malware dubbed ATMitch. The cybercrime’s aim is to manipulate the cash-withdrawal process on the targeted machines. Yoroi-Cybaze cyber security experts analyzed in dept the malicious code defined as a “spearhead of a sophisticated cyber arsenal”. Especially after they spotted a new sample in the first days of April. What they found suggests that the eventual presence of this malware could be the tip of the iceberg of a more complex and articulated attack perpetrated by advanced cyber-criminals. Potentially, the Carbanak or the GCMAN group.
The cyber security experts: How the malware cyber attacks work
This recently discovered ATMitch sample by Yoroi-Cybaze is one of the key assets used by advanced attackers during bank cyber-robberies. The cybercrime manually install it within segregated hosts and write commands directly into the target machine, without any command and control traffic. The usage of Remote Desktop to directly connect to the target machine is also supported by the presence of a prompt window. Probably, according to the cyber security experts, the last steps of an attack flow involving the malware are the following:
- The attacker connects to the ATM machine using Remote Desktop;
- The attacker transfers the loader EXE and runs it: the prompt window shows if everything went well;
- The attacker deletes the initial file in order to remove tracks;
- The attacker writes commands in the appropriate file;
- The malware executes the new commands and writes in the log file;
- The attacker examines the log file to know the state of the command execution.