SYMBOLCOMMON_NAMEaka. SYNONYMS
win.atmspitter (Back to overview)

ATMSpitter

Actor(s): Cobalt


The ATMSpitter family consists of command-line tools designed to control the cash dispenser of an ATM through function calls to either CSCWCNG.dll or MFSXFS.dll.
Both libraries are legitimate Windows drivers used to interact with the components of different ATM models.

References
2020SecureworksSecureWorks
@online{secureworks:2020:gold:983570b, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt
2020SecureworksSecureWorks
@online{secureworks:2020:gold:1892bc8, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz
2019-11-18QuoScientQuoScient
@techreport{quoscient:20191118:intelligence:953ab5b, author = {QuoScient}, title = {{Intelligence Brief New ATMSpitter}}, date = {2019-11-18}, institution = {QuoScient}, url = {https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf}, language = {English}, urldate = {2020-01-13} } Intelligence Brief New ATMSpitter
ATMSpitter
2019-11-18QuoScientQuoScient
@techreport{quoscient:20191118:quoint:582f7b8, author = {QuoScient}, title = {{QuoINT INTELBRIEF – Actors Exploiting the RCE Vulnerability}}, date = {2019-11-18}, institution = {QuoScient}, url = {https://quoscient.io/reports/QuoINT_INTBRI_ATMSpitter_v2.pdf}, language = {English}, urldate = {2020-01-13} } QuoINT INTELBRIEF – Actors Exploiting the RCE Vulnerability
ATMSpitter
Yara Rules
[TLP:WHITE] win_atmspitter_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_atmspitter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmspitter"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c744243400100000 ff15???????? a900800000 7424 68???????? e8???????? 83ec24 }
            // n = 7, score = 100
            //   c744243400100000     | mov                 dword ptr [esp + 0x34], 0x1000
            //   ff15????????         |                     
            //   a900800000           | test                eax, 0x8000
            //   7424                 | je                  0x26
            //   68????????           |                     
            //   e8????????           |                     
            //   83ec24               | sub                 esp, 0x24

        $sequence_1 = { ff15???????? b9e1070000 66394c2450 0f854a020000 66837c245207 0f853e020000 8d942480000000 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   b9e1070000           | mov                 ecx, 0x7e1
            //   66394c2450           | cmp                 word ptr [esp + 0x50], cx
            //   0f854a020000         | jne                 0x250
            //   66837c245207         | cmp                 word ptr [esp + 0x52], 7
            //   0f853e020000         | jne                 0x244
            //   8d942480000000       | lea                 edx, [esp + 0x80]

        $sequence_2 = { 83c414 8d542420 52 ff15???????? a900800000 }
            // n = 5, score = 100
            //   83c414               | add                 esp, 0x14
            //   8d542420             | lea                 edx, [esp + 0x20]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   a900800000           | test                eax, 0x8000

        $sequence_3 = { 68???????? e8???????? 83c408 68???????? e8???????? 83c404 8d442420 }
            // n = 7, score = 100
            //   68????????           |                     
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   68????????           |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8d442420             | lea                 eax, [esp + 0x20]

        $sequence_4 = { 8bff 56 57 33ff ffb7c4cb4000 }
            // n = 5, score = 100
            //   8bff                 | mov                 edi, edi
            //   56                   | push                esi
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   ffb7c4cb4000         | push                dword ptr [edi + 0x40cbc4]

        $sequence_5 = { e8???????? 83c408 5d c3 68???????? }
            // n = 5, score = 100
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   68????????           |                     

        $sequence_6 = { 7763 744f 8bc8 81e922140020 7433 49 741e }
            // n = 7, score = 100
            //   7763                 | ja                  0x65
            //   744f                 | je                  0x51
            //   8bc8                 | mov                 ecx, eax
            //   81e922140020         | sub                 ecx, 0x20001422
            //   7433                 | je                  0x35
            //   49                   | dec                 ecx
            //   741e                 | je                  0x20

        $sequence_7 = { a1???????? 8a15???????? 53 56 57 b910000000 be???????? }
            // n = 7, score = 100
            //   a1????????           |                     
            //   8a15????????         |                     
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   b910000000           | mov                 ecx, 0x10
            //   be????????           |                     

        $sequence_8 = { c686c800000043 c6864b01000043 c7466850c44000 6a0d e8???????? 59 }
            // n = 6, score = 100
            //   c686c800000043       | mov                 byte ptr [esi + 0xc8], 0x43
            //   c6864b01000043       | mov                 byte ptr [esi + 0x14b], 0x43
            //   c7466850c44000       | mov                 dword ptr [esi + 0x68], 0x40c450
            //   6a0d                 | push                0xd
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_9 = { e8???????? 8b4528 83c404 3d04e00020 7739 7428 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8b4528               | mov                 eax, dword ptr [ebp + 0x28]
            //   83c404               | add                 esp, 4
            //   3d04e00020           | cmp                 eax, 0x2000e004
            //   7739                 | ja                  0x3b
            //   7428                 | je                  0x2a

    condition:
        7 of them and filesize < 147456
}
Download all Yara Rules