ATMitch operates by reading commands contained within a local text file labeled command.txt. The commands are simple, one-letter characters such as ‘O’ for open dispenser, ‘D’ for dispense, and ‘E’ for Exit. Once an ATM is infected, threat actors can upload specific instructions to the command.txt file. ATMitch deletes itself and all related files once the attack is complete. It is suspected that threat actors deploy ATMitch after gaining access to a bank’s ATM network via Remote Desktop Protocol (RDP). Attacks involving ATMitch have been documented in Russia and Kazakhstan, although it is suspected that other countries have been impacted as well.

Reporting and Technical Details

Image Source: Bleeping Computer