Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 929
- Points
- 113
Despite video cameras and the risk of ending up in the arms of law enforcement, attacks on ATMs using direct connections, so-called black box attacks, are still popular among criminals. The main reason for this, as one might assume, is the low qualification requirements for a cyberrobber - on specialized websites you can find both the necessary tools and instructions for their use.
Such attacks, combined with a toolkit codenamed KoffeyMaker, were investigated by Kaspersky Lab specialists in 2017-2018, when several Eastern European banks turned to us for help in the investigation: criminals quickly and almost unhindered emptied their ATMs. It quickly became clear that we were dealing with a black box - the attacker opened the ATM, connected the dispenser to his laptop, closed the ATM and left the crime scene, leaving the device inside. Further investigation showed that the “crime weapon” was a laptop with installed drivers for the ATM dispenser and a patched KDIAG utility; To organize remote access, a USB GPRS modem was connected to it. The OS used was Windows, most likely versions XP, ME or 7 for better compatibility with drivers.
ATM dispenser connected to computer without necessary drivers
Then the situation developed according to a standard scenario: at the agreed time, the attacker returned and imitated working with an ATM, and his accomplice remotely connected to a hidden laptop, launched KDIAG and gave the dispenser a command to dispense banknotes. After that, the attacker took the money, and then the laptop. The entire operation could well have been carried out by one person, however, a partnership scheme in which one participant is a “mule” and works directly with money and an ATM, and the second provides technical support for the operation for a share of the loot, is more common. Loot from one ATM can amount to tens of thousands of dollars, and only hardware encryption of data in the “dispenser - ATM PC” section can prevent the attack.
In general, the attack resembled the Cutlet Maker we described last year, with the exception of the software used. We were able to reproduce all the steps of KoffeyMaker in our test lab. We found the tools necessary for this without much difficulty - legitimate programs were used to carry out the attack, with the exception of the patched KDIAG, which Kaspersky Lab products detect as RiskTool.Win32.DIAGK.a. Note that previously the same version of this program was used by cybercriminals from the Carbanak group.
49c708aad19596cca380fd02ab036eb2
9a587ac619f0184bad123164f2aa97ca
2e90763ac4413eb815c45ee044e13a43
b60e43d869b8d2a0071f8a2c0ce371aa
3d1da9b83fe5ef07017cf2b97ddc76f1
45d4f8b3ed5a41f830f2d3ace3c2b031
f2c434120bec3fb47adce00027c2b35e
8fc365663541241ad626183d6a48882a
6677722da6a071499e2308a121b9051d
a731270f952f654b9c31850e9543f4ad
b925ce410a89c6d0379dc56c85d9daf0
d7b647f5bcd459eb395e8c4a09353f0d
0bcb612e6c705f8ba0a9527598bbf3f3
ae962a624866391a4321c21656737dcb
83ac7fdba166519b29bb2a2a3ab480f8
Driver
fed5
a8da5b44f926c7f7d11f566967a73a32
f046dc9e38024ab15a4de1bbfe830701
9a1a781fed629d1d0444a3ae3b6e2882
(c) SERGEY GOLOVANOV
Such attacks, combined with a toolkit codenamed KoffeyMaker, were investigated by Kaspersky Lab specialists in 2017-2018, when several Eastern European banks turned to us for help in the investigation: criminals quickly and almost unhindered emptied their ATMs. It quickly became clear that we were dealing with a black box - the attacker opened the ATM, connected the dispenser to his laptop, closed the ATM and left the crime scene, leaving the device inside. Further investigation showed that the “crime weapon” was a laptop with installed drivers for the ATM dispenser and a patched KDIAG utility; To organize remote access, a USB GPRS modem was connected to it. The OS used was Windows, most likely versions XP, ME or 7 for better compatibility with drivers.
ATM dispenser connected to computer without necessary drivers
Then the situation developed according to a standard scenario: at the agreed time, the attacker returned and imitated working with an ATM, and his accomplice remotely connected to a hidden laptop, launched KDIAG and gave the dispenser a command to dispense banknotes. After that, the attacker took the money, and then the laptop. The entire operation could well have been carried out by one person, however, a partnership scheme in which one participant is a “mule” and works directly with money and an ATM, and the second provides technical support for the operation for a share of the loot, is more common. Loot from one ATM can amount to tens of thousands of dollars, and only hardware encryption of data in the “dispenser - ATM PC” section can prevent the attack.
In general, the attack resembled the Cutlet Maker we described last year, with the exception of the software used. We were able to reproduce all the steps of KoffeyMaker in our test lab. We found the tools necessary for this without much difficulty - legitimate programs were used to carry out the attack, with the exception of the patched KDIAG, which Kaspersky Lab products detect as RiskTool.Win32.DIAGK.a. Note that previously the same version of this program was used by cybercriminals from the Carbanak group.
Hash amounts
KDIAG, incl. пропатченные файлы49c708aad19596cca380fd02ab036eb2
9a587ac619f0184bad123164f2aa97ca
2e90763ac4413eb815c45ee044e13a43
b60e43d869b8d2a0071f8a2c0ce371aa
3d1da9b83fe5ef07017cf2b97ddc76f1
45d4f8b3ed5a41f830f2d3ace3c2b031
f2c434120bec3fb47adce00027c2b35e
8fc365663541241ad626183d6a48882a
6677722da6a071499e2308a121b9051d
a731270f952f654b9c31850e9543f4ad
b925ce410a89c6d0379dc56c85d9daf0
d7b647f5bcd459eb395e8c4a09353f0d
0bcb612e6c705f8ba0a9527598bbf3f3
ae962a624866391a4321c21656737dcb
83ac7fdba166519b29bb2a2a3ab480f8
Driver
fed5
a8da5b44f926c7f7d11f566967a73a32
f046dc9e38024ab15a4de1bbfe830701
9a1a781fed629d1d0444a3ae3b6e2882
YARA Rule
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | rule software_zz_patched_KDIAG { meta: author = "Kaspersky Lab" filetype = "PE" date = "2018-04-28" version = "1.0" hash = "49c708aad19596cca380fd02ab036eb2" strings: $b0 = { 25 80 00 00 00 EB 13 FF 75 EC } $b1 = { EB 1F 8D 85 FC FE FF FF 50 68 7B 2F 00 00 } $s0 = "@$MOD$ 040908 0242/0000 CRS1.EXE W32 Copyright (c) Wincor Nixdorf" condition: ( uint16(0) == 0x5A4D and all of ( $s* ) and all of ( $b* ) ) } |
(c) SERGEY GOLOVANOV
