ATMs have long been viewed by hackers as instant jackpot machines compromised to spit out sums of money when malicious code is executed. They are not only machines which contain relatively large sums of cash but they also are a treasure trove of information begging to be stolen. Researchers based at Kaspersky Labs have discovered a new malware variant that is seemingly designed to go after the information rather than the cash, at least temporarily, as the information, data from bank cards inserted into the machine can be used later in a variety of ways for financial gain.
In a report published by Kaspersky Labs the malware, named ATMDtrack, had been seen targeting Indian ATMs and Bank since September 2018 with the latest activity associated been tracked to September 2019. In the newer attacks, researchers discovered a newer improved version of ATMDtrack, which they have subsequently called Dtrack, focusses more on spying and data theft rather than the stealing of data from bank cards. Dtrack is seen as more potent due to its increased features which include a Remote Access Trojan (RAT) that, when executed, would grant access to the infected computer to the attacker. The latest campaigns employing Dtrack have been seen targeting Indian research centers as well as banks.
The malware consists of two separate parts within the payload. The first part being the encrypted payload and the dropper. To further prevent detection the malware authors embedded the malicious code into a harmless executable, in some cases, Visual Studio MFC project was the default for the harmless executable but other programs were seen used during the course of the investigation.
Once the researchers were able to decrypt the data they discovered that the malware uses process hollowing to further hide the malicious payload. Process hollowing involves holding the malicious processes in a suspended state, which is then unmapped by the malware and replaced by the malicious code. It is another technique employed by hackers to avoid detection and analysis.
Once the process hollowing completes the second part of the malware designs its work. The second part features the malware dropper which contains a variety of executables that perform the spying and data stealing. Droppers act as a trojan and is often the piece of the malware containing the malicious payload. In this instance the dropper contains executables that are designed for:
- retrieving browser history
- gathering host IP addresses, information about available networks, and active connections
- list all running processes
- list all files on all available disk volumes
- Dropper also contains a RAT capable of uploading and downloading files, as well as executing code.
ATMDtrack and Dtrack possibly of North Korean Origin
Researchers believe that both ATMDtrack and Dtrack may be of North Korean origin and, further, linked to Lazarus Group a hacking group believes to be North Korea’s biggest state-sponsored hacking collective. The links between both the new malware variants and Lazarus appear self-evident with Kaspersky researchers first linking the two new pieces of malware and then noticing the similarities to tools used in the past by Lazarus. As to the similarities between ATMDtrack and Dtrack researchers noted,
“ATMDTrack is a subset of the DTrack family. They naturally look different despite their similarities. For example, Dtrack’s payload is encrypted within a dropper—unlike the ATMDTrack samples, which were not encrypted at all. But after decrypting the Dtrack payload, it becomes clear that the developers are the same group of people: both projects have the same style and use the same implemented functions. The most obvious function they have in common is the string manipulation function. It checks if there is a CCS_ substring at the beginning of the parameter string, cuts it out and returns a modified one. Otherwise, it uses the first byte as an XOR argument and returns a decrypted string"
Once the link between the two new malware variants was discovered that they bared an eerie similarity to tools used previously by Lazarus. In 2013 a series of attacks were uncovered targeting organizations and financial institutions in South Korea. These attacks were dubbed Operation Dark Seoul the campaign looked to steal military information as well as wreak havoc by wiping data from targeted computers. Researchers at Kaspersky noticed a lot of the old code from Operation Dark Seoul was used in the development of both ATMDTrack and DTrack. The discovery left researchers to conclude,
“The vast amount of Dtrack samples that we were able to find shows that the Lazarus group is one of the most active APT groups in terms of malware development. They continue to develop malware at a fast pace and expand their operations. We first saw early samples of this malware family in 2013, when it hit Seoul. Now, six years later, we see them in India, attacking financial institutions and research centers. And once again, we see that this group uses similar tools to perform both financially-motivated and pure espionage attacks.”
Researchers also warned that for these campaigns to be successful they rely on organizations having weak and insufficient security measures regarding networks, weak passwords or reliance on default passwords, and a lack of traffic monitoring. Kaspersky advises that organizations tighten their network and password policies, use a traffic monitoring solution combined with a reputable anti-virus package. If ATMDtrack and Dtrack are indeed the work of Lazarus, they have added some pretty potent weapons to an already potent arsenal which notably includes WannaCry as well as data wipers and banking trojans.