SYMBOLCOMMON_NAMEaka. SYNONYMS
win.atmspitter (Back to overview)

ATMSpitter

Actor(s): Cobalt


The ATMSpitter family consists of command-line tools designed to control the cash dispenser of an ATM through function calls to either CSCWCNG.dll or MFSXFS.dll.
Both libraries are legitimate Windows drivers used to interact with the components of different ATM models.

References
2020SecureworksSecureWorks
@online{secureworks:2020:gold:983570b, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt
2020SecureworksSecureWorks
@online{secureworks:2020:gold:1892bc8, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz
2019-11-18QuoScientQuoScient
@techreport{quoscient:20191118:intelligence:953ab5b, author = {QuoScient}, title = {{Intelligence Brief New ATMSpitter}}, date = {2019-11-18}, institution = {QuoScient}, url = {https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf}, language = {English}, urldate = {2020-01-13} } Intelligence Brief New ATMSpitter
ATMSpitter
2019-11-18QuoScientQuoScient
@techreport{quoscient:20191118:quoint:582f7b8, author = {QuoScient}, title = {{QuoINT INTELBRIEF – Actors Exploiting the RCE Vulnerability}}, date = {2019-11-18}, institution = {QuoScient}, url = {https://quoscient.io/reports/QuoINT_INTBRI_ATMSpitter_v2.pdf}, language = {English}, urldate = {2020-01-13} } QuoINT INTELBRIEF – Actors Exploiting the RCE Vulnerability
ATMSpitter
Yara Rules
[TLP:WHITE] win_atmspitter_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_atmspitter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmspitter"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bec 83e4f8 b8bc100000 e8???????? a1???????? }
            // n = 5, score = 200
            //   8bec                 | mov                 ebp, esp
            //   83e4f8               | and                 esp, 0xfffffff8
            //   b8bc100000           | mov                 eax, 0x10bc
            //   e8????????           |                     
            //   a1????????           |                     

        $sequence_1 = { 8d4c2468 68???????? 51 ff15???????? 68???????? }
            // n = 5, score = 200
            //   8d4c2468             | lea                 ecx, [esp + 0x68]
            //   68????????           |                     
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   68????????           |                     

        $sequence_2 = { ffb7c4cb4000 ff15???????? 8987c4cb4000 83c704 83ff28 }
            // n = 5, score = 200
            //   ffb7c4cb4000         | push                dword ptr [edi + 0x40cbc4]
            //   ff15????????         |                     
            //   8987c4cb4000         | mov                 dword ptr [edi + 0x40cbc4], eax
            //   83c704               | add                 edi, 4
            //   83ff28               | cmp                 edi, 0x28

        $sequence_3 = { 33c0 8b4d08 3b0cc5889a4000 740a 40 83f816 72ee }
            // n = 7, score = 200
            //   33c0                 | xor                 eax, eax
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   3b0cc5889a4000       | cmp                 ecx, dword ptr [eax*8 + 0x409a88]
            //   740a                 | je                  0xc
            //   40                   | inc                 eax
            //   83f816               | cmp                 eax, 0x16
            //   72ee                 | jb                  0xfffffff0

        $sequence_4 = { 83c404 eb59 68???????? e8???????? 83c404 eb4a 68???????? }
            // n = 7, score = 200
            //   83c404               | add                 esp, 4
            //   eb59                 | jmp                 0x5b
            //   68????????           |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   eb4a                 | jmp                 0x4c
            //   68????????           |                     

        $sequence_5 = { 6816011200 68???????? ff15???????? 6a02 6a00 8bf8 6a00 }
            // n = 7, score = 200
            //   6816011200           | push                0x120116
            //   68????????           |                     
            //   ff15????????         |                     
            //   6a02                 | push                2
            //   6a00                 | push                0
            //   8bf8                 | mov                 edi, eax
            //   6a00                 | push                0

        $sequence_6 = { 3d04ef0020 7763 744f 8bc8 81e922140020 7433 49 }
            // n = 7, score = 200
            //   3d04ef0020           | cmp                 eax, 0x2000ef04
            //   7763                 | ja                  0x65
            //   744f                 | je                  0x51
            //   8bc8                 | mov                 ecx, eax
            //   81e922140020         | sub                 ecx, 0x20001422
            //   7433                 | je                  0x35
            //   49                   | dec                 ecx

        $sequence_7 = { 83e71f c1e706 8b048560da4000 8d44380c 50 ff15???????? }
            // n = 6, score = 200
            //   83e71f               | and                 edi, 0x1f
            //   c1e706               | shl                 edi, 6
            //   8b048560da4000       | mov                 eax, dword ptr [eax*4 + 0x40da60]
            //   8d44380c             | lea                 eax, [eax + edi + 0xc]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_8 = { 0fb6884c854000 ff248d30854000 68???????? e8???????? 83c404 eb59 }
            // n = 6, score = 200
            //   0fb6884c854000       | movzx               ecx, byte ptr [eax + 0x40854c]
            //   ff248d30854000       | jmp                 dword ptr [ecx*4 + 0x408530]
            //   68????????           |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   eb59                 | jmp                 0x5b

        $sequence_9 = { ff15???????? a900800000 742e 68???????? e8???????? 83ec24 }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   a900800000           | test                eax, 0x8000
            //   742e                 | je                  0x30
            //   68????????           |                     
            //   e8????????           |                     
            //   83ec24               | sub                 esp, 0x24

    condition:
        7 of them and filesize < 147456
}
Download all Yara Rules