In a single night, tons withdrew $ 800,000 from eight ATMs. There was only one trace left of them. File with logs of operations and deep Pack the money, man! This was shown on the ATM display when the pension was not paid. Experts from Kaspersky cracked new ways to steal an ATM.
A total of eight ATMs of an unnamed Russian bank issued $ 800,000 (approximately 20 million K) in a single night. It would not be strange if the pensions did not disappear without the knowledge of the bank. The ATMs were empty. Not a trace of tons. dn visible malware or its remnants. Nothing. It looked like an absolutely perfect flow. In addition, the collection of security cameras showed only an unknown walker who did not even touch the ATM. Only after a while did he take out the pension, which the vending machine seemed to offer him.
As a pair of security experts Sergei Golovanov and Igor Soumenkov found out, it wasn’t like that. The background of the event was revealed at the Security Analyst Summit. At least in one device, there was a text file left on the hard disk called KL.txt. It contained a complete list of logs of completed operations. Among others, there was a message that probably appeared on the ATM display at the time when the pensions were ready for collection: Catch some money, bitch! (sun one: Take the money, man!). Bl k (experts do not assume that they went to ATMs for cash for pensions) did not have to touch the ATM at all. The pension simply went out at one point. That’s exactly what security cameras caught. It did not take less than 20 minutes to clear one ATM from the pension.
This is what the text file that Kaspersky Lab experts found on the disk of the infected ATM looked like.
It was not a flow where the bank’s legitimate tools were misused without the need to install any malware that would leave visible traces. Even in such cases, the institution will receive a similar allowance, for example by phishing or the cooperation of the company’s employees in another way. The fact that the file with the record of operations (logs) was preserved testified to the installation of malware, which tried to cut it and not leave traces (for example, it was loaded only into RAM – temporary memory), but something went wrong when uninstalling it.
Golovanov and Soumenkov therefore created a detection YARA rule, which is used first in cases where researchers need to detect a hitherto unknown kd. They found out again that tonns took advantage of a known bug (unpaid vulnerability) that Kaspersky revealed in February 2016 (summarized in English) and help hackers then infected more than 140 institutions, including banks, state and telecommunications agencies around the world (including Germany, Austria , rnu, Saudi Arbie, etc.).
In the case of two attacked Russian banks, the tonnis used the same procedure. With the help of the well-known tools PowerShell and Meterpreter controlled the computers inside the bank and settled the malicious key in the Windows registry. He did not leave any traces behind (they all disappeared during the restart) and was basically undetectable. In this way, the hackers listened to the necessary passwords and procedures and started the second phase of the flow.
From the attacked computers, they installed malware called ATMitch in selected ATMs, which procurely provided them with administrative equipment for the devices. At any time through it, they could honor a debt-selected ATM to issue a certain pension. ATMitch searched for the text file commands.txt, from which it read the command for detecting the number of pensions in the device cassette and the command for their final release. Then he deleted the original file from the ATM hard disk and recorded the sentence in a new file.
A guy with a drill
In the middle of the day, a boy is standing in a truck at an ATM and drilling into it with another drill. Then connect the box to the device and after a while leave with a pack of banknotes. Who is it that can only happen in Russia? That’s not true. Although Pbh started in this country and especially from here comes the original idea for this way of stealing an ATM, but similar cases have been reported by banks in Europe, according to Kaspersky experts.
He doesn’t know how to drill him into an ATM to get to control the machine. Image from ATM security camera.
In the start, one of the perpetrators, who was drilling so hard, was seized, and someone noticed and called the police. He managed to destroy and drop the unknown device that he wanted to connect to the ATM. The predatory ATM then traveled to Kaspersky’s underground car park, where Golovanov and Soumenkov shared an improvised laboratory for several weeks. They only had the ATM and photos from the security camera, a ton of equipment was not preserved.
The ATMs are able to respond with an alarm to tilting or other movements, but drilling with a drill bit with a diameter of 4 centimeters next to the keyboard obviously does not bother him. In addition to this obvious, the researchers also found that the individual components of the ATM do not use authentication during communication. Therefore, any st can be conveniently spoiled by another and the rest of the machine, and therefore not even the bank will notice it at first. So el dry was especially there – this is where Tonk wanted to connect to the system and choose a pension.
The hole with a diameter of over three centimeters allowed the offender access to the SDC bus and thus to the entire ATM.
Now Golovanov and Soumenkov had to find out what kind of zazen would be able to control the ATM in this way. The bites cost $ 15. Of course, they did not share the exact recipe. The path led through a ten-pin connector, a dog that could be connected to both the internal computer and the cash dispatcher.
Obyejn bluetooth klvesnice
The last of the three cases that Golovanov and Soumenkov encountered in 2016 was, in a way, the most civil. The bank supplied them with an ATM that someone had stolen unknown.
Igor Soumenkov summarizes how to easily withdraw pensions from an ATM with the help of a forgotten dongle from a Bluetooth keyboard.
The cameras did not detect anything, because the perpetrator thoroughly taped them all (the ATM is usually not equipped with only one camera, but several of them and put them in its vicinity).
At first glance, it was a coincidence, because there was no sign of any malware. When disassembling the device, the experts poured a kind of USB dongle into the service module (in the USB hub). Eventually, a bite of cordless keyboards emerged from it. It was enough for the offender to sit in the park near the ATM, start the service center with the keyboard and then just go and choose the desired drain. In order not to be detected, the USB dongle connected a few msc forwards and used it at the moment when all service logs (logs) were automatically deleted.