SYMBOLCOMMON_NAMEaka. SYNONYMS
win.atmspitter (Back to overview)

ATMSpitter

Actor(s): Cobalt


The ATMSpitter family consists of command-line tools designed to control the cash dispenser of an ATM through function calls to either CSCWCNG.dll or MFSXFS.dll.
Both libraries are legitimate Windows drivers used to interact with the components of different ATM models.

References
2020SecureworksSecureWorks
@online{secureworks:2020:gold:983570b, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt
2020SecureworksSecureWorks
@online{secureworks:2020:gold:1892bc8, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz
2019-11-18QuoScientQuoScient
@techreport{quoscient:20191118:intelligence:953ab5b, author = {QuoScient}, title = {{Intelligence Brief New ATMSpitter}}, date = {2019-11-18}, institution = {QuoScient}, url = {https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf}, language = {English}, urldate = {2020-01-13} } Intelligence Brief New ATMSpitter
ATMSpitter
2019-11-18QuoScientQuoScient
@techreport{quoscient:20191118:quoint:582f7b8, author = {QuoScient}, title = {{QuoINT INTELBRIEF – Actors Exploiting the RCE Vulnerability}}, date = {2019-11-18}, institution = {QuoScient}, url = {https://quoscient.io/reports/QuoINT_INTBRI_ATMSpitter_v2.pdf}, language = {English}, urldate = {2020-01-13} } QuoINT INTELBRIEF – Actors Exploiting the RCE Vulnerability
ATMSpitter
Yara Rules
[TLP:WHITE] win_atmspitter_auto (20230125 | Detects win.atmspitter.)
rule win_atmspitter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.atmspitter."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmspitter"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 68???????? ff15???????? 6a02 6a00 8bf8 6a00 57 }
            // n = 7, score = 200
            //   68????????           |                     
            //   ff15????????         |                     
            //   6a02                 | push                2
            //   6a00                 | push                0
            //   8bf8                 | mov                 edi, eax
            //   6a00                 | push                0
            //   57                   | push                edi

        $sequence_1 = { 59 8985a0fdffff 3bc1 0f87cb090000 ff248513234000 838de8fdffffff 89b594fdffff }
            // n = 7, score = 200
            //   59                   | pop                 ecx
            //   8985a0fdffff         | mov                 dword ptr [ebp - 0x260], eax
            //   3bc1                 | cmp                 eax, ecx
            //   0f87cb090000         | ja                  0x9d1
            //   ff248513234000       | jmp                 dword ptr [eax*4 + 0x402313]
            //   838de8fdffffff       | or                  dword ptr [ebp - 0x218], 0xffffffff
            //   89b594fdffff         | mov                 dword ptr [ebp - 0x26c], esi

        $sequence_2 = { 0f853e020000 8d942480000000 52 ff15???????? 3d09030000 0f8425020000 68???????? }
            // n = 7, score = 200
            //   0f853e020000         | jne                 0x244
            //   8d942480000000       | lea                 edx, [esp + 0x80]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   3d09030000           | cmp                 eax, 0x309
            //   0f8425020000         | je                  0x22b
            //   68????????           |                     

        $sequence_3 = { 8b44240c 8b74244c 40 8944240c 3bc6 }
            // n = 5, score = 200
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]
            //   8b74244c             | mov                 esi, dword ptr [esp + 0x4c]
            //   40                   | inc                 eax
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   3bc6                 | cmp                 eax, esi

        $sequence_4 = { 8bec 8b4508 56 8d34c5f0cb4000 }
            // n = 4, score = 200
            //   8bec                 | mov                 ebp, esp
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   56                   | push                esi
            //   8d34c5f0cb4000       | lea                 esi, [eax*8 + 0x40cbf0]

        $sequence_5 = { 895c244c e8???????? 8d78ff 8b4608 50 89442418 }
            // n = 6, score = 200
            //   895c244c             | mov                 dword ptr [esp + 0x4c], ebx
            //   e8????????           |                     
            //   8d78ff               | lea                 edi, [eax - 1]
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   50                   | push                eax
            //   89442418             | mov                 dword ptr [esp + 0x18], eax

        $sequence_6 = { ff15???????? 40 837d0804 89442428 741f 8b550c 8b02 }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   40                   | inc                 eax
            //   837d0804             | cmp                 dword ptr [ebp + 8], 4
            //   89442428             | mov                 dword ptr [esp + 0x28], eax
            //   741f                 | je                  0x21
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   8b02                 | mov                 eax, dword ptr [edx]

        $sequence_7 = { 3d09030000 0f8425020000 68???????? e8???????? }
            // n = 4, score = 200
            //   3d09030000           | cmp                 eax, 0x309
            //   0f8425020000         | je                  0x22b
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_8 = { 83c404 eb59 68???????? e8???????? 83c404 eb4a }
            // n = 6, score = 200
            //   83c404               | add                 esp, 4
            //   eb59                 | jmp                 0x5b
            //   68????????           |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   eb4a                 | jmp                 0x4c

        $sequence_9 = { 83f805 7d10 668b4c4310 66890c456cd54000 40 ebe8 33c0 }
            // n = 7, score = 200
            //   83f805               | cmp                 eax, 5
            //   7d10                 | jge                 0x12
            //   668b4c4310           | mov                 cx, word ptr [ebx + eax*2 + 0x10]
            //   66890c456cd54000     | mov                 word ptr [eax*2 + 0x40d56c], cx
            //   40                   | inc                 eax
            //   ebe8                 | jmp                 0xffffffea
            //   33c0                 | xor                 eax, eax

    condition:
        7 of them and filesize < 147456
}
Download all Yara Rules