ATMitch

ATMitch operates by reading commands contained within a local text file labeled command.txt. The commands are simple, one-letter characters such as ‘O’ for open dispenser, ‘D’ for dispense, and ‘E’ for Exit. Once an ATM is infected, threat actors can upload specific instructions to the command.txt file. ATMitch deletes itself and all related files once the attack is complete. It is suspected that threat actors deploy ATMitch after gaining access to a bank’s ATM network via Remote Desktop Protocol (RDP). Attacks involving ATMitch have been documented in Russia and Kazakhstan, although it is suspected that other countries have been impacted as well.

Reporting and Technical Details:

April 2017: Self-Deleting Malware Makes ATMs Spit out Cash (Bleeping Computer)
May 2019: ATMitch: New Evidence Spotted In The Wild (Security Affairs)
ATMitch: New Evidence Spotted In The Wild

Image Source: Bleeping Computer

ATMitch: New Evidence Spotted In The Wild

NJ CYBERSECURITY & COMMUNICATIONS INTEGRATION CELL

PO Box 091

Trenton, NJ 08625

CONTACT US

Email: njccic@cyber.nj.gov

Phone: 1-833-4-NJCCIC (1-833-465-2242)