Researchers have spotted a new malware sample that is said to be active since 2017. It is believed that the malware may have been a part of a 2016 advanced cyber-espionage campaign targeting a Russian bank.
How does it propagate?
The malware sample is executed using a file named ‘tester.exe’. According to the researchers from Yoroi-Cybaze ZLab, the custom loader helps the malicious payload to take control of the target machine.
“When started, the executable creates a new folder on 'C:\intel' and then starts inspecting all the running processes. It looks for a really particular one: 'fwmain32.exe'. This lookup reveals how deeply environmental aware is this implant. In fact, the 'fwmain32' process is part of the software services produced by Wincor Nixdorf International GmbH, one of the major vendors providing retail and banking hardware such as ATMs,” the researchers explained in a blog post.
How does the attack occur?
Following are the steps by which the attack is launched using the malware:
What are the capabilities?
The capabilities of ATMitch are: