ATMSpitter (Malware Family)

ATMSpitter

Actor(s): Cobalt

VTCollection

The ATMSpitter family consists of command-line tools designed to control the cash dispenser of an ATM through function calls to either CSCWCNG.dll or MFSXFS.dll.
Both libraries are legitimate Windows drivers used to interact with the components of different ATM models.

References

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt

2019-11-18 ⋅ QuoScient ⋅ QuoScient
Intelligence Brief New ATMSpitter
ATMSpitter

2019-11-18 ⋅ QuoScient ⋅ QuoScient
QuoINT INTELBRIEF – Actors Exploiting the RCE Vulnerability
ATMSpitter

Yara Rules

[TLP:WHITE] win_atmspitter_auto (20260504 | Detects win.atmspitter.)

rule win_atmspitter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.atmspitter."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmspitter"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 68???????? e8???????? 83c404 eb77 68???????? e8???????? }
            // n = 6, score = 200
            //   68????????           |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   eb77                 | jmp                 0x79
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_1 = { 8b4c2414 8b54244c 51 52 68???????? e8???????? 83c410 }
            // n = 7, score = 200
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]
            //   8b54244c             | mov                 edx, dword ptr [esp + 0x4c]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   68????????           |                     
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10

        $sequence_2 = { 8b1d???????? 56 57 50 c745fc00000000 ffd3 }
            // n = 6, score = 200
            //   8b1d????????         |                     
            //   56                   | push                esi
            //   57                   | push                edi
            //   50                   | push                eax
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   ffd3                 | call                ebx

        $sequence_3 = { e8???????? 83c404 e9???????? 3d00f00028 0f87b7000000 0f849f000000 3d04ef0020 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   e9????????           |                     
            //   3d00f00028           | cmp                 eax, 0x2800f000
            //   0f87b7000000         | ja                  0xbd
            //   0f849f000000         | je                  0xa5
            //   3d04ef0020           | cmp                 eax, 0x2000ef04

        $sequence_4 = { 8b0c8d60da4000 c1e006 0fbe440104 83e040 }
            // n = 4, score = 200
            //   8b0c8d60da4000       | mov                 ecx, dword ptr [ecx*4 + 0x40da60]
            //   c1e006               | shl                 eax, 6
            //   0fbe440104           | movsx               eax, byte ptr [ecx + eax + 4]
            //   83e040               | and                 eax, 0x40

        $sequence_5 = { 68???????? e8???????? 83c408 68???????? e8???????? 8b4528 83c404 }
            // n = 7, score = 200
            //   68????????           |                     
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   68????????           |                     
            //   e8????????           |                     
            //   8b4528               | mov                 eax, dword ptr [ebp + 0x28]
            //   83c404               | add                 esp, 4

        $sequence_6 = { 89442430 ff15???????? 40 837d0804 89442428 741f 8b550c }
            // n = 7, score = 200
            //   89442430             | mov                 dword ptr [esp + 0x30], eax
            //   ff15????????         |                     
            //   40                   | inc                 eax
            //   837d0804             | cmp                 dword ptr [ebp + 8], 4
            //   89442428             | mov                 dword ptr [esp + 0x28], eax
            //   741f                 | je                  0x21
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]

        $sequence_7 = { e8???????? ebd1 8bc8 c1f905 8d3c8d60da4000 8bf0 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   ebd1                 | jmp                 0xffffffd3
            //   8bc8                 | mov                 ecx, eax
            //   c1f905               | sar                 ecx, 5
            //   8d3c8d60da4000       | lea                 edi, [ecx*4 + 0x40da60]
            //   8bf0                 | mov                 esi, eax

        $sequence_8 = { 81e907ef0020 7419 49 0f85dd000000 68???????? e8???????? 83c404 }
            // n = 7, score = 200
            //   81e907ef0020         | sub                 ecx, 0x2000ef07
            //   7419                 | je                  0x1b
            //   49                   | dec                 ecx
            //   0f85dd000000         | jne                 0xe3
            //   68????????           |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_9 = { 56 57 33ff ffb7c4cb4000 ff15???????? }
            // n = 5, score = 200
            //   56                   | push                esi
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   ffb7c4cb4000         | push                dword ptr [edi + 0x40cbc4]
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 147456
}

Download all Yara Rules

ATMSpitter Propose Change

References

Yara Rules

ATMSpitter