ATMSpitter (Malware Family)

ATMSpitter

Actor(s): Cobalt

VTCollection

The ATMSpitter family consists of command-line tools designed to control the cash dispenser of an ATM through function calls to either CSCWCNG.dll or MFSXFS.dll.
Both libraries are legitimate Windows drivers used to interact with the components of different ATM models.

References

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt

2019-11-18 ⋅ QuoScient ⋅ QuoScient
Intelligence Brief New ATMSpitter
ATMSpitter

2019-11-18 ⋅ QuoScient ⋅ QuoScient
QuoINT INTELBRIEF – Actors Exploiting the RCE Vulnerability
ATMSpitter

Yara Rules

[TLP:WHITE] win_atmspitter_auto (20230808 | Detects win.atmspitter.)

rule win_atmspitter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.atmspitter."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmspitter"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { a900800000 7422 68???????? e8???????? 83ec24 }
            // n = 5, score = 200
            //   a900800000           | test                eax, 0x8000
            //   7422                 | je                  0x24
            //   68????????           |                     
            //   e8????????           |                     
            //   83ec24               | sub                 esp, 0x24

        $sequence_1 = { 8be5 5d c3 8b5c2420 33c0 89442450 }
            // n = 6, score = 200
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8b5c2420             | mov                 ebx, dword ptr [esp + 0x20]
            //   33c0                 | xor                 eax, eax
            //   89442450             | mov                 dword ptr [esp + 0x50], eax

        $sequence_2 = { 56 89442418 e8???????? 83c40c 8bf0 8974244c }
            // n = 6, score = 200
            //   56                   | push                esi
            //   89442418             | mov                 dword ptr [esp + 0x18], eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8bf0                 | mov                 esi, eax
            //   8974244c             | mov                 dword ptr [esp + 0x4c], esi

        $sequence_3 = { a4 c744241831323000 88542422 c744242800000080 89442430 }
            // n = 5, score = 200
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   c744241831323000     | mov                 dword ptr [esp + 0x18], 0x303231
            //   88542422             | mov                 byte ptr [esp + 0x22], dl
            //   c744242800000080     | mov                 dword ptr [esp + 0x28], 0x80000000
            //   89442430             | mov                 dword ptr [esp + 0x30], eax

        $sequence_4 = { 8b442410 50 53 8d4c2468 68???????? 51 ff15???????? }
            // n = 7, score = 200
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   8d4c2468             | lea                 ecx, [esp + 0x68]
            //   68????????           |                     
            //   51                   | push                ecx
            //   ff15????????         |                     

        $sequence_5 = { c3 8b04cd14c04000 5d c3 }
            // n = 4, score = 200
            //   c3                   | ret                 
            //   8b04cd14c04000       | mov                 eax, dword ptr [ecx*8 + 0x40c014]
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_6 = { 8975e0 8db190c84000 8975e4 eb2b 8a4601 }
            // n = 5, score = 200
            //   8975e0               | mov                 dword ptr [ebp - 0x20], esi
            //   8db190c84000         | lea                 esi, [ecx + 0x40c890]
            //   8975e4               | mov                 dword ptr [ebp - 0x1c], esi
            //   eb2b                 | jmp                 0x2d
            //   8a4601               | mov                 al, byte ptr [esi + 1]

        $sequence_7 = { 6a03 6816011200 68???????? ff15???????? 6a02 6a00 8bf8 }
            // n = 7, score = 200
            //   6a03                 | push                3
            //   6816011200           | push                0x120116
            //   68????????           |                     
            //   ff15????????         |                     
            //   6a02                 | push                2
            //   6a00                 | push                0
            //   8bf8                 | mov                 edi, eax

        $sequence_8 = { 83c404 8d442420 50 ff15???????? a900800000 7422 }
            // n = 6, score = 200
            //   83c404               | add                 esp, 4
            //   8d442420             | lea                 eax, [esp + 0x20]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   a900800000           | test                eax, 0x8000
            //   7422                 | je                  0x24

        $sequence_9 = { 6a00 57 ff15???????? 6a00 8d45fc }
            // n = 5, score = 200
            //   6a00                 | push                0
            //   57                   | push                edi
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   8d45fc               | lea                 eax, [ebp - 4]

    condition:
        7 of them and filesize < 147456
}

Download all Yara Rules

ATMSpitter Propose Change

References

Yara Rules

ATMSpitter