430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

APT

North Korea-linked malware ATMDtrack infected ATMs in India

Kaspersky experts spotted a new piece of ATM malware, dubbed ATMDtrack, that was developed and used by North Korea-linked hackers. Kaspersky researchers discovered a new piece of ATM malware, tracked as ATMDtrack, that was developed and used by North Korea-linked hackers. Threat actors deployed the malware on ATM systems to steal payment card details of […]

North Korea Lazarus APT

Kaspersky experts spotted a new piece of ATM malware, dubbed ATMDtrack, that was developed and used by North Korea-linked hackers.

Kaspersky researchers discovered a new piece of ATM malware, tracked as ATMDtrack, that was developed and used by North Korea-linked hackers.

Threat actors deployed the malware on ATM systems to steal payment card details of the back customers.

ATMDtrack has been spotted on the networks of Indian banks since late summer 2018, a more sophisticated version tracked as Dtrack, was involved in attacks aimed at Indian research centers.

“In the late summer of 2018, we discovered ATMDtrack, a piece of banking malware targeting Indian banks. Further analysis showed that the malware was designed to be planted on the victim’s ATMs, where it could read and store the data of cards that were inserted into the machines.” reads the analysis published by Kaspersky.

According to Kaspersky, the most recent attacks involving the malware were observed at the beginning of September 2019.

DTrack, was developed to spy on the victims and exfiltrate data of interest, it supports features normally implemented in remote access trojan (RAT).

Below a list of some functionalities supported by the Dtrack payload executables analyzed by Kaspersky:

  • keylogging,
  • retrieving browser history,
  • gathering host IP addresses, information about available networks and active connections,
  • listing all running processes,
  • listing all files on all available disk volumes.

The experts were able to analyze only dropped samples, as the real payload was encrypted with various droppers. The samples were detected because of the unique sequences shared by ATMDtrack and the Dtrack memory dumps.

“At this point, the design philosophy of the framework becomes a bit unclear. Some of the executables pack the collected data into a password protected archive and save it to the disk, while others send the data to the C&C server directly.” continues Kaspersky.

“Aside from the aforementioned executables, the droppers also contained a remote access Trojan (RAT). The RAT executable allows criminals to perform various operations on a host, such as uploading/downloading, executing files, etc.”

Once decrypted the final payload, Kaspersky researchers noticed similarities with the Dark Seoul campaign uncovered in 2013 and attributed to the Lazarus APT group. The attackers reused part of their old code in the recent attacks on the financial sector and research centers in India.

“The most obvious function they have in common is the string manipulation function. It checks if there is a CCS_ substring at the beginning of the parameter string, cuts it out and returns a modified one. Otherwise, it uses the first byte as an XOR argument and returns a decrypted string.” states the analysis.

The discovery of the ATMDTrack malware confirms the intense activity of the Lazarus APT group.

The state-sponsored group continues to develop malware that was used in both financially-motivated attacks and cyber espionage operations.

“We first saw early samples of this malware family in 2013, when it hit Seoul. Now, six years later, we see them in India, attacking financial institutions and research centers.” concludes Kaspersky. “And once again, we see that this group uses similar tools to perform both financially-motivated and pure espionage attacks.”

Technical details, including IoCs, are reported in the analysis published by Kaspersky.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – APT, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]