SYMBOLCOMMON_NAMEaka. SYNONYMS
win.atmspitter (Back to overview)

ATMSpitter

Actor(s): Cobalt


The ATMSpitter family consists of command-line tools designed to control the cash dispenser of an ATM through function calls to either CSCWCNG.dll or MFSXFS.dll.
Both libraries are legitimate Windows drivers used to interact with the components of different ATM models.

References
2020SecureworksSecureWorks
@online{secureworks:2020:gold:983570b, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt
2020SecureworksSecureWorks
@online{secureworks:2020:gold:1892bc8, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz
2019-11-18QuoScientQuoScient
@techreport{quoscient:20191118:intelligence:953ab5b, author = {QuoScient}, title = {{Intelligence Brief New ATMSpitter}}, date = {2019-11-18}, institution = {QuoScient}, url = {https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf}, language = {English}, urldate = {2020-01-13} } Intelligence Brief New ATMSpitter
ATMSpitter
2019-11-18QuoScientQuoScient
@techreport{quoscient:20191118:quoint:582f7b8, author = {QuoScient}, title = {{QuoINT INTELBRIEF – Actors Exploiting the RCE Vulnerability}}, date = {2019-11-18}, institution = {QuoScient}, url = {https://quoscient.io/reports/QuoINT_INTBRI_ATMSpitter_v2.pdf}, language = {English}, urldate = {2020-01-13} } QuoINT INTELBRIEF – Actors Exploiting the RCE Vulnerability
ATMSpitter
Yara Rules
[TLP:WHITE] win_atmspitter_auto (20230407 | Detects win.atmspitter.)
rule win_atmspitter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.atmspitter."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmspitter"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f8425020000 68???????? e8???????? b801000000 83c404 8944240c 3bf0 }
            // n = 7, score = 200
            //   0f8425020000         | je                  0x22b
            //   68????????           |                     
            //   e8????????           |                     
            //   b801000000           | mov                 eax, 1
            //   83c404               | add                 esp, 4
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   3bf0                 | cmp                 esi, eax

        $sequence_1 = { 741e 81e9ddda0000 0f8536010000 68???????? e8???????? 83c404 }
            // n = 6, score = 200
            //   741e                 | je                  0x20
            //   81e9ddda0000         | sub                 ecx, 0xdadd
            //   0f8536010000         | jne                 0x13c
            //   68????????           |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_2 = { 53 8d4c2468 68???????? 51 ff15???????? 68???????? }
            // n = 6, score = 200
            //   53                   | push                ebx
            //   8d4c2468             | lea                 ecx, [esp + 0x68]
            //   68????????           |                     
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   68????????           |                     

        $sequence_3 = { 40 89442428 8d4c2420 8d8424c8000000 51 89442438 }
            // n = 6, score = 200
            //   40                   | inc                 eax
            //   89442428             | mov                 dword ptr [esp + 0x28], eax
            //   8d4c2420             | lea                 ecx, [esp + 0x20]
            //   8d8424c8000000       | lea                 eax, [esp + 0xc8]
            //   51                   | push                ecx
            //   89442438             | mov                 dword ptr [esp + 0x38], eax

        $sequence_4 = { 83e203 83f908 7229 f3a5 ff2495b0774000 8bc7 }
            // n = 6, score = 200
            //   83e203               | and                 edx, 3
            //   83f908               | cmp                 ecx, 8
            //   7229                 | jb                  0x2b
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   ff2495b0774000       | jmp                 dword ptr [edx*4 + 0x4077b0]
            //   8bc7                 | mov                 eax, edi

        $sequence_5 = { 56 e8???????? 8d0445cccd4000 8bc8 2bce 6a03 }
            // n = 6, score = 200
            //   56                   | push                esi
            //   e8????????           |                     
            //   8d0445cccd4000       | lea                 eax, [eax*2 + 0x40cdcc]
            //   8bc8                 | mov                 ecx, eax
            //   2bce                 | sub                 ecx, esi
            //   6a03                 | push                3

        $sequence_6 = { 57 8bc2 c1f805 8b048560da4000 8bfa }
            // n = 5, score = 200
            //   57                   | push                edi
            //   8bc2                 | mov                 eax, edx
            //   c1f805               | sar                 eax, 5
            //   8b048560da4000       | mov                 eax, dword ptr [eax*4 + 0x40da60]
            //   8bfa                 | mov                 edi, edx

        $sequence_7 = { ff15???????? 6a02 6a00 8bf8 6a00 57 ff15???????? }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   6a02                 | push                2
            //   6a00                 | push                0
            //   8bf8                 | mov                 edi, eax
            //   6a00                 | push                0
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_8 = { e8???????? 83c408 5d c3 68???????? e8???????? 83c404 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   68????????           |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_9 = { 6bc930 8975e0 8db190c84000 8975e4 }
            // n = 4, score = 200
            //   6bc930               | imul                ecx, ecx, 0x30
            //   8975e0               | mov                 dword ptr [ebp - 0x20], esi
            //   8db190c84000         | lea                 esi, [ecx + 0x40c890]
            //   8975e4               | mov                 dword ptr [ebp - 0x1c], esi

    condition:
        7 of them and filesize < 147456
}
Download all Yara Rules