Injector for ATMs
#steem #ATM #Injector
Seven years ago - in 2009 - we are faced with a completely new kind of attacks on banks. Instead of infecting the computers of thousands of users worldwide, cybercriminals have focused directly on the ATMs - they were infected with malware called Skimer. And now, after seven years, the Global Research Center «Kaspersky Lab» (Global Research and Analysis Team, GREAT) and testing department to penetration (Penetration Testing Team) were engaged in the investigation of the incident. The investigation has found a new, improved version of Skimer.
It infects as viruses
Cybercriminals often disguise their malicious software with a program-packers to complicate its analysis. Criminals behind Skimer, also used this method. They used legally sold Themida packer, which is packed and infector, and dropper.
Once launched, the Trojan checks the file system. If it is FAT32, it places netmgr.dll file in the folder C: \ Windows \ System32. If you are using the NTFS file system, the file is placed in the same NTFS stream corresponding to the executable file XFS service. Most likely, the file is placed in the NTFS file stream to hinder forensic analysis.
After successful installation of the sample changes the entry point of the executable file XFS service (SpiService.exe), to add a call (LoadLibrary) set them netmgr.dll file system. This file is also protected packer Themida.
After a successful installation, ATM restarts. Malicious library is loaded in SpiService.exe address space thanks to the new call LoadLibrary, which gives it full access to XFS.
Functionality
Unlike Tyupkin, where used "magic" code and malware was active only at certain times, Skimer "wakes up" only in the event that the cash dispenser is inserted into the "magic" card (with specific data on track 2 (Track 2) see. infection indicators end posting).
When the "magic" card is inserted, malware is ready to interact with two different types of cards, each of which has its own function:
Type 1 cards - Team request via an interface
Card Type 2 - the team's performance, hard-coded in track 2
After returning the card user is in the form of a proposal to introduce a session key for 60 seconds. Then, after the user authentication, a malicious program is ready to accept the codes that determine its further activity (often used code 21). Codes are entered from a digital ATM panel intended to enter the PIN-Code.
Below is a list of the most important functions:
Show more information about how to install a malicious program;
Issue money - 40 bills from said cassette;
Start collecting data card inserted;
Print data collected on the cards;
Run samoudalenie;
Enable debug mode;
Perform update (updated malicious code written on the card).
In the process of operation, the malware also creates the following files or NTFS file streams (depending on the file system). These files are used by malware at different stages of its operation, including the recording configuration, recording data read from the card and logging activity:
C: \ Windows \ Temp \ attrib1 map data collected from network traffic or with the card reader;
C: \ Windows \ Temp \ attrib4 various API data logs for exchange of information with the keyboard (in fact, is a magazine of such data as input PIN-codes);
C: \ Windows \ Temp \ mk32 same as attrib4;
C: \ Windows \ Temp: attrib1 file similar attrib1;
C: \ Windows \ Temp: attrib4 file similar attrib4;
C: \ Windows \ Temp: mk32 file similar mk32;
C: \ Windows \ Temp: eek: pt activity log money mule.
In the following video details the scenario reflected the interaction of money mules infected with ATM (as described above).
https://www.youtube.com/watch?time_continue=1&v=hOcFy02c7x0
conclusions
In the course of recent investigations, that our team conducted in connection with the incidents of burglary ATM, we found Tyupkin attack, carbanak, as well as attacks with the use of "black box". Evolution Backdoor.Win32.Skimer shows that hackers are interested in the development of these malware families as ATMs - a very convenient mechanism for cybercriminals cash withdrawal.
In this case, the important part is hard-coded in track 2 data: to activate a malicious program card with the data to be inserted into the ATM. As a preventive measure, banks can search for the relevant card numbers in their processing systems and to detect potentially infected ATMs or money mules, and also block attempts to activate malicious software.
We also recommend regular antivirus scans, apply whitelisting technology, efficient device control policy, polnodiskovoe encryption and password protection system BIOS ATMs allow booting from the hard disk, as well as to isolate the ATM network from the rest of the internal banking networks.
At the moment, "Kaspersky Lab" has identified 49 variants of this malicious program, with 37 variants designed for one manufacturer of ATMs. The most recent version of the malware detected in the beginning of May 2016.
All these samples were detected products "Kaspersky Lab" as Backdoor.Win32.Skimer. Changed SpiService.exe malware files are detected as Trojan.Win32.Patched.rb.
The investigation is still ongoing. We have already transferred the full version of the report to various law enforcement agencies, computer groups Emergency Response (CERT), financial institutions and customers service "Kaspersky Lab" to provide information on threats (Kaspersky Lab Threat Intelligence-Service).
Annex I. Indicators of infection
Hashes
F19B2E94DDFCC7BCEE9C2065EBEAA66C
3c434d7b73be228dfa4fb3f9367910d3
a67d3a0974f0941f1860cb81ebc4c37c
D0431E71EBE8A09F02BB858A0B9B80380
35484d750f13e763eae758a5f243133
e563e3113918a59745e98e2a425b4e81
a7441033925c390ddfc360b545750ff4
file names
C: \ Windows \ Temp \ attrib1
C: \ Windows \ Temp \ attrib4
C: \ Windows \ Temp \ mk32
C: \ Windows \ Temp: attrib1
C: \ Windows \ Temp: attrib4
C: \ Windows \ Temp: mk32
C: \ Windows \ Temp: eek: pt
C: \ Windows \ System32 \ netmgr.dll
Data Track 2
****** 446987512 = ********************
****** 548965875 = ********************
****** 487470138 = ********************
****** 487470139 = ********************
****** 000000000 = ********************
****** 602207482 = ********************
****** 518134828 = ********************
****** 650680551 = ********************
****** 466513969 = ********************
Interesting thoughts