ATM MALWARE

Recommendations

Info

Analysts using RSA ECAT can triage systems across the network with minimal effort, drastically decreasing the overall response time. When an organization deploys RSA ECAT on ATMs and properly baselines those systems, the process of detecting anomalous activity is even easier. Whitelisting and blacklisting of files with RSA ECAT can also streamline the monitoring and investigation processes. RSA ECAT DETECTION: TROJANSPY:ATM/PLOUTUS TrojanSpy:ATM/Ploutus allows criminals to use a mobile phone to access an ATM by sending a simple text message that ultimately results in cash being immediately dispensed. The variant we analyzed, Backdoor.Ploutus.B, is an evolution of the malware and was used in several bank thefts between 2013 and 2015. This malware is a Trojan horse that opens a back door on a compromised ATM using a USB link to a connected mobile phone enabling the attacker to manage the ATM via text messages (SMS). Running an RSA ECAT agent (version 4.1 was used for this analysis) on an ATM terminal infected with Backdoor.Ploutus.B quickly detects the malicious process. RSA ECAT scores modules from 1 to 1024, where a higher score indicates a higher confidence that the process is malicious. The figure below shows the threat score collected from RSA ECAT. Figure 8: ECAT Score for Win32.Ploutus Malware RSA ECAT DETECTION: BACKDOOR.ATM.TYUPKIN Backdoor.ATM.Tyupkin is another malware variant that allows cyber criminals to empty cash machines via direct manipulation. Once inside the bank’s network, the attacker can traverse the network and introduce secondary tools to harvest credentials and obtain the data they are seeking. Once attackers have the data they need to exfiltrate it, potentially using a staging server on the bank’s network, RSA ECAT can quickly identify the Backdoor.ATM.Tyupkin process on an infected system. This is illustrated in Figure 9. If the Yara signatures, which are included with this report, are deployed to RSA ECAT, this module would have received a score of 1024 (the worst possible score). Figure 9: RSA ECAT score on Backdoor.ATM.Tyupkin RSA ECAT DETECTION: BACKDOOR.ATM.SUCEFUL Backdoor.ATM.Suceful is a newer variant in the ATM malware landscape. It incorporates features traditionally not built into ATM malware. The new malware uses an advanced technique to target cardholders. Once the ATM system is infected, the malware is able to record card- and user-supplied data for the inserted credit or debit card, including payment account details, IDs and PIN
passwords as they are entered. In addition, the malware is capable of suppressing the built-in alarms that are standard on every ATM, and triggering the card-withholding mechanism. The figure below displays how RSA ECAT would score the malicious process as suspect on an ATM infected with this strain of malware. Figure 10: RSA ECAT Score on Backdoor.ATM.Suceful RSA ECAT DETECTION: BACKDOOR.GREENDISPENSER The Backdoor.GreenDispenser variant provides an attacker with the ability to walk up to an infected ATM and drain its cash vault. When installed, the malware will create a mutex named “dispenserprgm” to avoid the risk of running duplicate processes of the malware. The GreenDispenser variant can also display an “out of service” message on the ATM to ward off legitimate users. However, attackers who enter the correct pin codes can use the machine to collect the cash and erase the malware using a delete process, leaving little (if any) trace of how the ATM was robbed. The program used for this deletion procedure is a legitimate Windows tool signed Sysinternal, called Sdelete.exe 7 . Custom IIOCs for RSA ECAT can be written to look for the known mutex names, and the Yara Integration that was previously discussed can be used to improve detection. Figure 11: RSA ECAT Score on GreenDispenser CONCLUSION ATM-focused malware is increasing in sophistication every year. Security monitoring and threat detection tools such as RSA Security Analytics and RSA ECAT can help security and fraud teams identify attacks early; before sensitive data is accessed or money is stolen. In these circumstances, not only is it critical to detect these advanced threats, but also minimize the time to detection. Improved situational awareness can accelerate an organization’s incident response and reduce the overall exposure to fraud and data loss. RSA Security Analytics and RSA ECAT provide organizations with the ability to discover and mitigate attacks before they become major incidents. 7 Software available here: https://technet.microsoft.com/en-us/sysinternals/sdelete.aspx
Page 1 and 2: RSA ® INCIDENT RESPONSE REPORT: TH
Page 3 and 4: EXECUTIVE SUMMARY The famous Americ
Page 5 and 6: speed the response time, reducing o
Page 7 and 8: Figure 4: Ploutus Attack Scenario B
Page 9: Figure 6 below illustrates the way
Page 13 and 14: condition: all of them and // MZ si

ATM MALWARE

Create successful ePaper yourself

Delete template?

Save as template?