SYMBOLCOMMON_NAMEaka. SYNONYMS
win.atmspitter (Back to overview)

ATMSpitter

Actor(s): Cobalt


The ATMSpitter family consists of command-line tools designed to control the cash dispenser of an ATM through function calls to either CSCWCNG.dll or MFSXFS.dll.
Both libraries are legitimate Windows drivers used to interact with the components of different ATM models.

References
2020SecureworksSecureWorks
@online{secureworks:2020:gold:983570b, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt
2020SecureworksSecureWorks
@online{secureworks:2020:gold:1892bc8, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz
2019-11-18QuoScientQuoScient
@techreport{quoscient:20191118:intelligence:953ab5b, author = {QuoScient}, title = {{Intelligence Brief New ATMSpitter}}, date = {2019-11-18}, institution = {QuoScient}, url = {https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf}, language = {English}, urldate = {2020-01-13} } Intelligence Brief New ATMSpitter
ATMSpitter
2019-11-18QuoScientQuoScient
@techreport{quoscient:20191118:quoint:582f7b8, author = {QuoScient}, title = {{QuoINT INTELBRIEF – Actors Exploiting the RCE Vulnerability}}, date = {2019-11-18}, institution = {QuoScient}, url = {https://quoscient.io/reports/QuoINT_INTBRI_ATMSpitter_v2.pdf}, language = {English}, urldate = {2020-01-13} } QuoINT INTELBRIEF – Actors Exploiting the RCE Vulnerability
ATMSpitter
Yara Rules
[TLP:WHITE] win_atmspitter_auto (20211008 | Detects win.atmspitter.)
rule win_atmspitter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.atmspitter."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmspitter"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 51 52 68???????? e8???????? 83c410 8b44240c 8b74244c }
            // n = 7, score = 200
            //   51                   | push                ecx
            //   52                   | push                edx
            //   68????????           |                     
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]
            //   8b74244c             | mov                 esi, dword ptr [esp + 0x4c]

        $sequence_1 = { ff15???????? a900800000 7422 68???????? e8???????? 83ec24 }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   a900800000           | test                eax, 0x8000
            //   7422                 | je                  0x24
            //   68????????           |                     
            //   e8????????           |                     
            //   83ec24               | sub                 esp, 0x24

        $sequence_2 = { 8b4508 ff34c5f0cb4000 ff15???????? 5d c3 }
            // n = 5, score = 200
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   ff34c5f0cb4000       | push                dword ptr [eax*8 + 0x40cbf0]
            //   ff15????????         |                     
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_3 = { 51 a4 c744241831323000 88542422 }
            // n = 4, score = 200
            //   51                   | push                ecx
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   c744241831323000     | mov                 dword ptr [esp + 0x18], 0x303231
            //   88542422             | mov                 byte ptr [esp + 0x22], dl

        $sequence_4 = { 8906 8bc7 ebca 8bff 55 8bec 81ec28030000 }
            // n = 7, score = 200
            //   8906                 | mov                 dword ptr [esi], eax
            //   8bc7                 | mov                 eax, edi
            //   ebca                 | jmp                 0xffffffcc
            //   8bff                 | mov                 edi, edi
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81ec28030000         | sub                 esp, 0x328

        $sequence_5 = { c7465cf89b4000 83660800 33ff 47 897e14 897e70 }
            // n = 6, score = 200
            //   c7465cf89b4000       | mov                 dword ptr [esi + 0x5c], 0x409bf8
            //   83660800             | and                 dword ptr [esi + 8], 0
            //   33ff                 | xor                 edi, edi
            //   47                   | inc                 edi
            //   897e14               | mov                 dword ptr [esi + 0x14], edi
            //   897e70               | mov                 dword ptr [esi + 0x70], edi

        $sequence_6 = { 8b02 50 68???????? e8???????? 83c408 b801000000 5f }
            // n = 7, score = 200
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   50                   | push                eax
            //   68????????           |                     
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   b801000000           | mov                 eax, 1
            //   5f                   | pop                 edi

        $sequence_7 = { ebde 8bc8 83e01f c1f905 8b0c8d60da4000 c1e006 0fbe440104 }
            // n = 7, score = 200
            //   ebde                 | jmp                 0xffffffe0
            //   8bc8                 | mov                 ecx, eax
            //   83e01f               | and                 eax, 0x1f
            //   c1f905               | sar                 ecx, 5
            //   8b0c8d60da4000       | mov                 ecx, dword ptr [ecx*4 + 0x40da60]
            //   c1e006               | shl                 eax, 6
            //   0fbe440104           | movsx               eax, byte ptr [ecx + eax + 4]

        $sequence_8 = { 57 33ff ffb7c4cb4000 ff15???????? 8987c4cb4000 83c704 }
            // n = 6, score = 200
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   ffb7c4cb4000         | push                dword ptr [edi + 0x40cbc4]
            //   ff15????????         |                     
            //   8987c4cb4000         | mov                 dword ptr [edi + 0x40cbc4], eax
            //   83c704               | add                 edi, 4

        $sequence_9 = { ff15???????? 8987c4cb4000 83c704 83ff28 72e6 5f 5e }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   8987c4cb4000         | mov                 dword ptr [edi + 0x40cbc4], eax
            //   83c704               | add                 edi, 4
            //   83ff28               | cmp                 edi, 0x28
            //   72e6                 | jb                  0xffffffe8
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

    condition:
        7 of them and filesize < 147456
}
Download all Yara Rules