{
	"id": "dcd178bd-8e16-4ce8-905a-664b63cbd85e",
	"created_at": "2026-04-06T00:17:32.6505Z",
	"updated_at": "2026-04-10T03:21:02.206093Z",
	"deleted_at": null,
	"sha1_hash": "2ddf6255b87885deaf000cd987fe77944c61cbd8",
	"title": "ATMitch: remote administration of ATMs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 211125,
	"plain_text": "ATMitch: remote administration of ATMs\r\nBy Sergey Golovanov\r\nPublished: 2017-04-04 · Archived: 2026-04-05 19:10:22 UTC\r\nIn February 2017, we published research on fileless attacks against enterprise networks. We described the data\r\ncollected during incident response in several financial institutions around the world, exploring how attackers\r\nmoved through enterprise networks leaving no traces on the hard drives. The goal of these attackers was money,\r\nand the best way to cash out and leave no record of transactions is through the remote administration of ATMs.\r\nThis second paper is about the methods and techniques that were used by the attackers in the second stage of their\r\nattacks against financial organizations – basically enabling remote administration of ATMs.\r\nIn June 2016, Kaspersky Lab received a report from a Russian bank that had been the victim of a targeted attack.\r\nDuring the heist, the criminals were able to gain control of the ATMs and upload malware to them. After cashing\r\nout, the malware was removed. The bank’s forensics specialists were unable to recover the malicious executables\r\nbecause of the fragmentation of a hard drive after the attack, but they were able to restore the malware’s logs and\r\nsome file names.\r\nThe bank’s forensic team were able, after careful forensic analysis of the ATM’s hard drive, to recover the\r\nfollowing files containing logs:\r\nC:\\Windows\\Temp\\kl.txt\r\nC:\\logfile.txt\r\nIn addition, they were able to find the names of two deleted executables. Unfortunately, they were not able to\r\nrecover any of the contents:\r\nC:\\ATM\\!A.EXE\r\nC:\\ATM\\IJ.EXE\r\nWithin the log files, the following pieces of plain text were found:\r\n[Date – Time]\r\n[%d %m %Y – %H : %M : %S] \u003e Entering process dispense.\r\n[%d %m %Y – %H : %M : %S] \u003e Items from parameters converted successfully. 4 40\r\n[%d %m %Y – %H : %M : %S] \u003e Unlocking dispenser, result is 0\r\n[%d %m %Y – %H : %M : %S] \u003e Catch some money, bitch! 4000000\r\n[%d %m %Y – %H : %M : %S] \u003e Dispense success, code is 0\r\nAs mentioned in the previous paper, based on the information from the log file we created a YARA rule to find a\r\nsample, in this case: MD5 cef6c2aa78ff69d894903e41a3308452. And we’ve found one. This sample was\r\nuploaded twice (from Kazakhstan and Russia) as “tv.dll”.\r\nhttps://securelist.com/atmitch-remote-administration-of-atms/77918/\r\nPage 1 of 4\n\nThe malware, which we have dubbed ATMitch, is fairly straightforward. Once remotely installed and executed via\r\nRemote Desktop Connection (RDP) access to the ATM from within the bank, the malware looks for the\r\n“command.txt” file that should be located in the same directory as the malware and created by the attacker. If\r\nfound, the malware reads the one character content from the file and executes the respective command:\r\n‘O’ – Open dispenser\r\n‘D’ – Dispense\r\n‘I’ – Init XFS\r\n‘U’ – Unlock XFS\r\n‘S’ – Setup\r\n‘E’ – Exit\r\n‘G’ – Get Dispenser id\r\n‘L’ – Set Dispenser id\r\n‘C’ – Cancel\r\nAfter execution, ATMitch writes the results of this command to the log file and removes “command.txt” from the\r\nATM’s hard drive.\r\nThe sample “tv.dll” successfully retrieved in this case does not try to conceal itself within the system.\r\nhttps://securelist.com/atmitch-remote-administration-of-atms/77918/\r\nPage 2 of 4\n\nThe malware’s command parser\r\nThe malware uses the standard XFS library to control the ATM. It should be noted that it works on every ATM\r\nthat supports the XFS library (which is the vast majority).\r\nUnfortunately, we were unable to retrieve the executables (!A.exe and IJ.exe, located in C:\\ATM) from the ATM;\r\nonly the file names were found as artefacts during the forensic analysis. We assume that these are the installer and\r\nuninstaller of the malware. It should also be noted that “tv.dll” contained one Russian-language resource.\r\nKaspersky Lab continues to monitor and track these kinds of threats and reiterates the need for allowlisting in\r\nATMs as well as the use of anti-APT solutions in banking networks.\r\nhttps://securelist.com/atmitch-remote-administration-of-atms/77918/\r\nPage 3 of 4\n\nSource: https://securelist.com/atmitch-remote-administration-of-atms/77918/\r\nhttps://securelist.com/atmitch-remote-administration-of-atms/77918/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://securelist.com/atmitch-remote-administration-of-atms/77918/"
	],
	"report_names": [
		"77918"
	],
	"threat_actors": [],
	"ts_created_at": 1775434652,
	"ts_updated_at": 1775791262,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2ddf6255b87885deaf000cd987fe77944c61cbd8.pdf",
		"text": "https://archive.orkl.eu/2ddf6255b87885deaf000cd987fe77944c61cbd8.txt",
		"img": "https://archive.orkl.eu/2ddf6255b87885deaf000cd987fe77944c61cbd8.jpg"
	}
}