A new piece of ATM malware was discovered by the researchers at Kaspersky which has been dubbed as ATMDtrack, and was developed and used by North Korea-linked hackers.
The attackers deployed the malware on ATM systems to steal payment card details of the bank customers.
ATMDtrack was found on the networks of Indian banks since late summer 2018 and a more sophisticated version named as Dtrack, was involved in attacks aimed at Indian research centers.
According to a report published by Kaspersky, ATMDtrack, a banking malware targeted Indian banks and further analysis showed that the malware was designed to be planted on the victim’s ATMs, where it could read and store the data of cards that were inserted into the machines.
According to them, the most recent attacks involving the malware were observed at the beginning of September 2019.
DTrack, was developed to spy on the victims and exfiltrate data of interest, it supports features normally implemented in remote access trojan (RAT).
Some of the functionalities supported by the Dtrack payload executables analyzed by Kaspersky include keylogging, retrieving browser history, gathering host IP addresses, information about available networks and active connections, listing all running processes, listing all files on all available disk volumes.
Since the real payload was encrypted with various droppers, the researchers were able to analyze only dropped samples and the samples were detected because of the unique sequences shared by ATMDtrack and the Dtrack memory dumps.
Some of the executables pack the collected data into a password protected archive and save it to the disk, while others send the data to the C&C server directly. The droppers also contained a remote access Trojan (RAT) that permits the attackers to perform various operations on a host, such as uploading/downloading, executing files, etc.
Once the final payload is decrypted, Kaspersky researchers noticed similarities with the Dark Seoul campaign revealed in 2013 and attributed to the Lazarus APT group. The attackers reused part of their old code in the recent attacks on the financial sector and research centers in India.
The discovery of the ATMDTrack malware confirms the intense activity of the Lazarus APT group. The state-sponsored group continues to develop malware that was used in both financially-motivated attacks and cyber espionage operations.
Kaspersky concluded that the early samples of this malware family was first observed in 2013, when it hit Seoul and then six years later it is found in India, attacking financial institutions and research centers. This group uses similar tools to perform both financially-motivated and pure espionage attacks.
The technical details, including IoCs, are reported in the analysis published by Kaspersky.