SYMBOLCOMMON_NAMEaka. SYNONYMS
win.atmspitter (Back to overview)

ATMSpitter

Actor(s): Cobalt


The ATMSpitter family consists of command-line tools designed to control the cash dispenser of an ATM through function calls to either CSCWCNG.dll or MFSXFS.dll.
Both libraries are legitimate Windows drivers used to interact with the components of different ATM models.

References
2020SecureworksSecureWorks
@online{secureworks:2020:gold:983570b, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt
2020SecureworksSecureWorks
@online{secureworks:2020:gold:1892bc8, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz
2019-11-18QuoScientQuoScient
@techreport{quoscient:20191118:intelligence:953ab5b, author = {QuoScient}, title = {{Intelligence Brief New ATMSpitter}}, date = {2019-11-18}, institution = {QuoScient}, url = {https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf}, language = {English}, urldate = {2020-01-13} } Intelligence Brief New ATMSpitter
ATMSpitter
2019-11-18QuoScientQuoScient
@techreport{quoscient:20191118:quoint:582f7b8, author = {QuoScient}, title = {{QuoINT INTELBRIEF – Actors Exploiting the RCE Vulnerability}}, date = {2019-11-18}, institution = {QuoScient}, url = {https://quoscient.io/reports/QuoINT_INTBRI_ATMSpitter_v2.pdf}, language = {English}, urldate = {2020-01-13} } QuoINT INTELBRIEF – Actors Exploiting the RCE Vulnerability
ATMSpitter
Yara Rules
[TLP:WHITE] win_atmspitter_auto (20220516 | Detects win.atmspitter.)
rule win_atmspitter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.atmspitter."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmspitter"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c705????????4b3a4000 8935???????? a3???????? ff15???????? a3???????? }
            // n = 5, score = 200
            //   c705????????4b3a4000     |     
            //   8935????????         |                     
            //   a3????????           |                     
            //   ff15????????         |                     
            //   a3????????           |                     

        $sequence_1 = { 83c404 e9???????? 68???????? e8???????? 83c404 eb77 68???????? }
            // n = 7, score = 200
            //   83c404               | add                 esp, 4
            //   e9????????           |                     
            //   68????????           |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   eb77                 | jmp                 0x79
            //   68????????           |                     

        $sequence_2 = { 0f8ca4010000 56 50 68???????? }
            // n = 4, score = 200
            //   0f8ca4010000         | jl                  0x1aa
            //   56                   | push                esi
            //   50                   | push                eax
            //   68????????           |                     

        $sequence_3 = { 8d8984c84000 5a 668b31 668930 }
            // n = 4, score = 200
            //   8d8984c84000         | lea                 ecx, [ecx + 0x40c884]
            //   5a                   | pop                 edx
            //   668b31               | mov                 si, word ptr [ecx]
            //   668930               | mov                 word ptr [eax], si

        $sequence_4 = { ff248513234000 838de8fdffffff 89b594fdffff 89b5bcfdffff 89b5ccfdffff 89b5d0fdffff 89b5f0fdffff }
            // n = 7, score = 200
            //   ff248513234000       | jmp                 dword ptr [eax*4 + 0x402313]
            //   838de8fdffffff       | or                  dword ptr [ebp - 0x218], 0xffffffff
            //   89b594fdffff         | mov                 dword ptr [ebp - 0x26c], esi
            //   89b5bcfdffff         | mov                 dword ptr [ebp - 0x244], esi
            //   89b5ccfdffff         | mov                 dword ptr [ebp - 0x234], esi
            //   89b5d0fdffff         | mov                 dword ptr [ebp - 0x230], esi
            //   89b5f0fdffff         | mov                 dword ptr [ebp - 0x210], esi

        $sequence_5 = { 68???????? e8???????? 83c410 8b44240c 8b74244c }
            // n = 5, score = 200
            //   68????????           |                     
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]
            //   8b74244c             | mov                 esi, dword ptr [esp + 0x4c]

        $sequence_6 = { 3d00010000 7d10 8a8c181d010000 888878c74000 }
            // n = 4, score = 200
            //   3d00010000           | cmp                 eax, 0x100
            //   7d10                 | jge                 0x12
            //   8a8c181d010000       | mov                 cl, byte ptr [eax + ebx + 0x11d]
            //   888878c74000         | mov                 byte ptr [eax + 0x40c778], cl

        $sequence_7 = { 6a02 6a00 8bf8 6a00 57 ff15???????? 6a00 }
            // n = 7, score = 200
            //   6a02                 | push                2
            //   6a00                 | push                0
            //   8bf8                 | mov                 edi, eax
            //   6a00                 | push                0
            //   57                   | push                edi
            //   ff15????????         |                     
            //   6a00                 | push                0

        $sequence_8 = { 8bf0 52 56 ff15???????? 6a00 6a00 }
            // n = 6, score = 200
            //   8bf0                 | mov                 esi, eax
            //   52                   | push                edx
            //   56                   | push                esi
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_9 = { 68???????? e8???????? 83c404 e9???????? 8d88ff0fffd7 }
            // n = 5, score = 200
            //   68????????           |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   e9????????           |                     
            //   8d88ff0fffd7         | lea                 ecx, [eax - 0x2800f001]

    condition:
        7 of them and filesize < 147456
}
Download all Yara Rules