Yoroi-Cybaze ZLAB: Cybercrime attacks banking sector with ATM Malware. It doesn’t rely on standard communication interfaces, suggesting increased level of customization. It makes extensive use of Java Instrumentation techniques to manipulate the control flow of a legit Java-based ATM management software
Cybercrime attacks and tool used against Automatic Teller Machines (ATM) are evolving. It has been confirmed by Yoroi-Cybaze ZLAB cyber security experts, who analyzed the “ATM Malware“: a malicious tool probably linked to recent cyber criminal operation against the banking sector. According to the researchers, ATM malware does not rely on standard communication interfaces. It is using other more specific techniques, suggesting an increased level of customization, maybe achieved by leveraging knowledge from the inside of the target organizations. It makes extensive use of Java Instrumentation techniques in order to manipulate the control flow of a legit Java-based ATM management software.
The ATM Malware capabilities
According to the cyber security experts, ATM Malware has the capability to execute the specified command through cmdline, dispense the specified amount from the dispenser cash unit identified by cybercrime, return the current amount of cash of each cash unit, execute the script using Java Script Engine, and return info about the specified running Java classes. Furthermore, the malicious code can invoke the method belonging to the specified Java class, display an HTML form to insert info about JAR to load, and load a new JAR file end execute the specified method. A set of tools to ensure the criminals will be able to overcome eventual technical faults in their ATM cashouts.
The cyber security experts: The question is how the crooks accessed deep knowledge of the target systems
Yoroi-Cybaze ZLAB reminds that cybercrime threatens financial and banking sector since a long time. But, during the years, criminal groups evolved their operation and developed more sophisticated arsenals, achieving customization capabilities making them able to target specific organizations, even if they are not leveraging known Industry Standards. As recently pointed by Kaspersky, these criminals reached such sophistication and customization levels by leveraging deep knowledge of the target systems, making the malware work just on a small fraction of the AMTs. How the crooks accessed this knowledge is the Question. At the moment it’s not clear how the technical information required to develop ad hoc malware have been accessed. A wide range of scenario are possible, such as the involvement of an insider, the long term compromise of the whole target network or just a small subset of mailboxes, or maybe a compromise of the Software Development Supply Chain.