April 4, 2017

Three ways to rob an ATM: Remote, almost remote, and physical

News Special Project Threats

You might’ve noticed that we are fond of theft by ATM. No, we don’t hack them ourselves, but whenever someone else does, we jump right on the case. At SAS 2017, the main cybersecurity event of the year, Kaspersky Lab experts Sergey Golovanov and Igor Soumenkov talked about three interesting cases.

Three ways to rob an ATM: Remote, almost remote, and physical

ATMitch — remote-controlled malware

The ATM stood empty. The bank’s forensics team found no malicious files, no strange fingerprints, no traces of any physical interaction with the device, no additional circuit-boards or other devices that could be used to take over control of the machine. They also found no money.

What the bank employees did find was one file, kl.txt. They figured “kl” might have something to do with KL — you know, Kaspersky Lab — so they contacted us, and that’s how we found ourselves investigating the case.

We had to start the investigation somewhere, so our researchers began by looking into that file. Based on the contents of the log file they were able to create a YARA rule — YARA is a malware research tool; basically, they made a search request for public malware repositories. They used it to try to find the original malware sample, and after a day the search yielded some results: a DLL called tv.dll, which by that time had been spotted in the wild twice, once in Russia and once in Kazakhstan. That was enough to begin untangling the knot.

A thorough investigation of the DLL enabled our researchers to reverse-engineer the attack, understand how it was actually performed, and even reproduce the attack on a test ATM in our test lab. Here’s what they found.

ATMitch at work

The attack originated with the malefactors exploiting a well-known but unpatched vulnerability and penetrating the target bank’s servers. (Haven’t we mentioned that updating software is a must? This is a case in point.)

The attackers used open-source code and publicly available tools to infect the computers in the bank, but the malware they created was hiding in the memory of the computers, not on their hard drives. There were no files, so the attack was extremely hard to spot — it was basically invisible to security suites. Worse, almost all traces of the malware disappeared when the system rebooted.

The attackers then established a connection to their command-and-control server, and that allowed them to remotely install software on the ATMs.

The malware in question, ATMitch, was installed and executed on the ATM directly from the bank using remote control tools. It looked like a legitimate update, so it didn’t raise red flags with any of the bank’s security solutions. After that, the malware started looking for a file called command.txt. This file contains the single-character commands that control the ATM. For example, “O” stands for “open cash dispenser.”

Here’s the part where the actual jackpotting begins. The malware starts with a command asking for the amount of money in the ATM, followed by another command to dispense a certain number of bills. By the time the command is sent, a money mule has arrived on site to grab the money and go.

The criminals tried not to leave any traces, so there were no executables on the ATM’s hard drive. And after the money had been dispensed, ATMitch wrote all the information regarding the operation into the log file and wiped the command.txt file clean. An important note: ATMitch could be installed on the vast majority of existing ATMs — the only requirement is that the ATM support an XFS library, and that’s what most ATMs do.

You can find additional details regarding ATMitch malware on Securelist.

Bl@ckb0x_m@g1k — a simple, smart trick

The next story, which also started with a request from a bank, is shorter. The ATM logs were again clear. The hard drive was intact, and the attacker duct-taped the CCTV so there was no footage of what happened.

We asked the bank to deliver the ATM to our office. We disassembled it and made an amazing discovery — a Bluetooth adapter connected to the ATM’s USB hub. And on the hard drive were drivers for a Bluetooth keyboard.

From there, reconstructing the robbery was simple. Someone installed a Bluetooth adapter on the ATM and waited three months for the logs to clear. Then the criminal came back with a Bluetooth keyboard, covered the security cameras, used the Bluetooth keyboard to reboot the ATM in service mode, and finally, performed the service operation of emptying the dispenser. That’s it.

The drill — an actual drill

Some solutions, such as remote-controlled malware and Bluetooth keyboards, seem elegant. The next trick is not.

The story begins like the others, with a bank contacting us to investigate yet another ATM theft. This time, forensics had found clear evidence of physical intervention: a perfectly round drilled hole about 4 cm in diameter near the PIN pad. And nothing more. ATMs look tough, but they have plastic parts, too. And those are easy to, you know, drill.

In a short span of time, there were several more cases like that in Russia and Europe. When police caught one suspect with a laptop and some wiring, the picture came into focus.

As we mentioned, we have an ATM in our lab, so we disassembled it to learn what the attacker could be trying to access using the hole. We found a 10-pin header, connected to a bus that interconnected basically all of the ATM’s components — from its internal computer to the cash dispenser.

We also found extremely weak encryption that took very little time to break.

To review: any one part of the ATM could control all the other parts, there was no authentication between parts (so any of them could be replaced without the others noticing), and the commands used to control them were rather easy to understand. Does that feel secure?

It cost us about $15 and some time to come up with a simple circuit board that could control the ATM once connected to the serial bus. Using it, we could make our test ATM dispense bills. It seems likely criminals have performed the same trick on actual ATMs with real money, but they needed a laptop to do it.

We notified the bank about our findings, but the problem here, as Igor Soumenkov points out, is that the ATMs cannot be updated remotely. Patching requires a hardware update, and that, in turn, requires a technician to visit the ATM — or, actually, lots of ATMs.

So what?

Ultimately, if you are not a bank employee, none of the above threats applies to you. They’re the bank’s problem, not yours. If you do work in a bank, however, and you have any influence over ATM protection, we can help you with ATMitch malware, which all of Kaspersky Lab’s security solutions catch. But we don’t have an anti-drilling protocol. That’s for you and your security cameras to catch.