ATMitch is a malware designed to infiltrate ATMs and allow its operators to drain them potentially. Such threats are less common nowadays because financial institutions such as banks have begun to take serious measures to reduce the risk of hacking attacks. However, despite all the efforts, sometimes a cunning piece of malware can slip through the cracks. Such is the case with ATMitch, which was first spotted back in 2017 when it launched an attack against a bank in Russia. The attackers relied on manual deployment that required them to have a Remote Desktop Connection to a computer that is part of the ATM network. It is not clear what methods they used to gain this privilege.
There is a toolkit, which is an essential part of thousands upon thousands of ATMs worldwide, which is called Extension for Financial Services API or in short XSF API. This toolkit sends commands through to the PIN pad and cash dispenser of ATMs. ATMitch works by altering the settings of the XFS API in accordance with the commands of its operators. This means that the people behind ATMitch are fully capable of emptying an ATM.
When the attackers manage to connect to the servers of the bank handling the ATMs, they will upload the executable file of ATMitch. When transferred successfully, the piece of malware can be launched and used. The attackers get to see a window where they can put in their commands and, in return, ATMitch would confirm if the operation has been successful. Often, cybercriminals use a Command & Control server to operate their malware from a distance. However, ATMitch works with the help of a 'command.txt' file, which is stored in the 'C:\intel\' folder found on the compromised computer. This text file contains the list of commands and actions that the malware is meant to execute. All of ATMitch's actions also are stored on a log file that is found on the infected PC. By eliminating the need for a Command & Control server, the attackers reduce the footprint that their malware's activity leaves behind in terms of network traffic greatly.
Banks are a very lucrative target for cybercriminals, and such institutions can never let their guard down when it comes to applying and enforcing very strict security policies.