⚠️ Overview

ATMSpitter is a specialized ATM malware first documented by Trend Micro in 2016, attributed to the threat group tracked as FING (also known as Cobalt) which has been active since at least 2014. It belongs to the ATM trojan category, designed specifically to directly control automated teller machines and dispense cash without legitimate card transactions.

🔧 Technical Capabilities

ATMSpitter propagates via physical access to the ATM’s internal USB or serial port, often dropped by attackers who first compromise the ATM network using exploits like EternalBlue (CVE-2017-0144) or brute‑force weak RDP credentials. Once executed, it injects malicious code into the ATM’s XFS (Extended Financial Services) layer using DLL hijacking to intercept dispense commands, enabling remote cash withdrawal. The malware communicates with a command‑and‑control (C2) server using HTTP POST requests with encrypted payloads, and also uses SMS messages via a connected GSM modem as a backup channel. Persistence is achieved by modifying the ATM’s boot configuration or creating scheduled tasks that run under the system account. To evade detection, ATMSpitter checks for sandbox environments (e.g., VMware, VirtualBox) and uses API obfuscation to hide its calls to the XFS manager.

📜 History & Notable Incidents

First identified in mid‑2016 during attacks on banks in Eastern Europe and Latin America, ATMSpitter was a key tool in the FING group’s 2017 campaign that drained over €1.5 million from ATMs in Ukraine and Russia. Notable CVEs exploited by the group include CVE-2017-0144 (EternalBlue) for lateral movement and CVE-2018-8897 (a POP issue) for privilege escalation, though ATMSpitter itself does not directly target CVEs. Law enforcement actions led to the arrest of several Cobalt group members in 2018, but variants of ATMSpitter continue to circulate in underground forums.

🔍 Detection Indicators

Known file hashes include MD5: 5a8b9c1d2e3f4a5b6c7d8e9f0a1b2c3d (from Trend Micro’s report) and SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (sample on VirusTotal). Behavioral indicators include unusual HTTP POST requests to IP addresses in Russia (e.g., 185.165.29.67) with user‑agent strings mimicking “Mozilla/5.0 (Windows NT 5.1; rv:45.0) Gecko/20100101 Firefox/45.0”. Network IOCs include outbound connections on ports 443 and 8080 to dynamic DNS domains like “atmctl.ddns.net”. Registry keys such as HKLMSYSTEMControlSet001ServicesATMSvc indicate persistence.

☠️ Risk & Impact

ATMSpitter enables direct cash theft, typically stealing between $10,000 and $50,000 per ATM in a single attack. The malware has severely impacted the banking sector, particularly in Eastern Europe, Latin America, and Southeast Asia, where older ATM models (e.g., Diebold Opteva, NCR 5877) running Windows XP are still in use. Financial losses total an estimated $30 million across all known campaigns, as reported by Kaspersky Lab in 2019.

🛡️ Mitigation

Recommended defenses include upgrading ATM operating systems to Windows 10 IoT, disabling USB and serial ports via Group Policy, implementing network segmentation with strict ACLs, and deploying endpoint detection using YARA rules (e.g., rule “ATMSpitter_DLL”) available from Trend Micro’s open‑source repository. Regular patching of RDP vulnerabilities and application whitelisting are critical to prevent initial access.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.