Java ATM Malware: The Insider Threat Phantom

Introduction

Recently our attention was caught by a really particular malware sample most probably linked to recent cyber criminal operation against the banking sector.

This piece of malicious code is a so called “ATM malware“: a malicious tool  part of a criminal arsenal able to interact with Automatic Teller Machine. ATM malware are used in modern bank robberies due to their ability to access the cash dispenser hardware, such as ATMitch malware we analyzed on last May. In that case the malware was relying on the XFS (EXtension for Financial Service) API to “jackpot” the infected machine.

Instead, this particular ATM malware does not rely on standard communication interfaces. It is using other more specific techniques, suggesting an increased level of customization, maybe achieved by leveraging knowledge from the inside of the target organizations.

For this reason Yoroi-Cybaze ZLAB team decided to dig into this malicious tool.

Technical Report

Hash0149667c0f8cbfc216ef9d1f3154643cbbf6940e6f24a09c92a82dd7370a5027
ThreatJava ATM Dispenser 
Brief DescriptionJava ATM Malware
Ssdeep6144:gm/yO7AN3q8QjcAcZ7qFx6Jo7tpYRC3ivnZj+Y5H:2O7AN35QYJZ2TlSkivZjR

Table 1. Info about the sample

The malware makes extensive use of Java Instrumentation techniques in order to manipulate the control flow of a legit Java-based ATM management software. The first action it performs is to identify the proper running Java Virtual Machine (JVM) used by the ATM software. The malware has the capability to:

  • display the list of all the JVM registered on the system
  • attach to a specific JVM defined in the arguments list
  • choose an arbitrary JVM which attach to

This is done using the Java Attach API, a Sun Microsystems extension that provides a mechanism to attach to a Java virtual machine.

Figure1. Code to identify the JVM

Once identified the target JVM, the malware forces the loading of a Java agent in it using the “vm.loadAgent(path_to_jar, options)” method.

Figure 2. Code to load the Java Agent from Jar file

The loader identifies the agent class in the specified JAR file using the “MANIFEST.MF” file embedded into it, then it loads the class into the target JVM’s context.

Figure 3. Jar’s manifest file containing the agent class name

At this point, the main class terminates printing the banner “Freedom and glory” in different languages, as shown in Figure 2. Now, the control flow moves to the “agentmain” method belonging to Agent class. Its only goal is to invoke the “startagent” method through the following code line:

getDeclaredMethod(“startagent“, String.class, Instrumentation.class).invoke((Object)null, agentArgs, ints);

The malicious intents of the malware are exhibited starting from this method. It deploys an HTTP server which acts as an interface between the attacker and the ATM under attack.

Figure 4. Code to start the HTTP server

Exploring the HTTP handler class, in fact, some suspicious information immediately emerges. In the following figure it is possible to see a hardcoded IP address “150.100.248[.]18” which will be used later. Moreover, this class embeds three static variables containing Javascript code (one of this is Base64 encoded).

Figure 5. Static strings embedded into HTTP server code

Continuing the code analysis, we encounters the server logic, which provides several functionalities that can be triggered by the attacker using simple HTTP requests.

Figure 6. Part of server logic

It is possible to summarise all the malware capabilities, exposed through the HTTP server instance, in the following table:

HTTP MethodPathQuery stringBodyDescription
POST/Base64-encoded commandExecute the specified command through cmdline
POST/d– i={id}&d={amount}Dispense the specified {amount} from the Dispenser cash unit identified by {id}
POST/dq=1Return the current amount of each cash unit
POST/evaJS scriptExecute the script using Java ScriptEngine
GET/mgrclassName1&className2Return info about the specified running Java classes 
POST/mgrclassNamemethodInvoke the method belonging to the specified Java class
GET/coreDisplay an HTML form to insert info about a JAR to load
POST/core0={Base64EncodedJAR}&1={mainClass}&2={method}&3={args}&4={type}Load a new JAR file and execute the specified method

Table 2. Malware capabilities

In the following screen, we report part of the server logic in which are highlighted the functions used by the malware to retrieve information about the ATM cash dispenser.

Figure 7. Evaluation of HTTP request

Most malicious actions are executed using Javascript code running on top of a JavaScript engine instance (included into the “runjs” method). For example, to retrieve the amount of cash stored in the dispenser the following code is invoked:

Figure 8. Javascript code to extract information about dispenser cash units

First of all, the malware retrieves the Java class associated to the Dispenser from the list of all the running classes. Then, for each dispenser’s cash unit, it invokes the “getValue” and “getActual” methods to obtain the right information from the dispenser interface.

A similar thing is done for money dispensing: after retrieving the associated object, the malware removes the “AnomalyHandler” using the “removeAnomalyHandler” method in order to stealthily achieve its objectives.

Figure 9. Javascript code used to remove the anomaly handler from dispenser

After that, it iterates the cash units dispensing the amount of bills specified by the criminals through the following function calls sequence:

  • setDispense(amount);
  • dispense();
  • present();
  • waitForBillsTaken(30);

At the end of the theft, the malware restores the “AnomalyHandler”. The complete Javascript code is shown in the following figure.

 Figure 10. Javascript code used to dispense money from all the cash units

On return, the malware communicates the success of the dispense operation connecting to the abovementioned IP (“150.100.248[.]18”) stored in the “urlreport” variable.

 Figure 11. The malware contacts the embedded IP address after dispensing

This ATM malware has also additional capabilities increasing its flexibility and dangerousness. It is able to execute arbitrary batch commands, to invoke methods directly into the memory of the running Java classes and also to run new JAR applications. The “jscmd” variable, shown in Figure 5, contains the Base64-encoded Javascript snippet useful to load the commands in the Windows cmdline:

 Figure 12. Javascript code to execute batch commands

Before launching the JS script, the malware replaces the following patterns:

  • %%shell%% with cmd.exe
  • %%arg%% with /c 
  • %%cmdb64%% with the Base64-encoded command coming from the HTTP request

Then, it invokes the “java.lang.Runtime.getRuntime().exec()” function.

 Figure 13. HTML form to specify the Jar to upload and run

Instead, in the JAR loading case the attacker preconfigured an HTML form to make the upload easier. In it, the criminal can specify which JAR to load, which is the main class and which method they want to execute first. A set of tools to ensure the criminals will be able to overcome eventual technical faults in their ATM cashouts.

Conclusion

Cyber criminals are threatening financial and banking sector for a long time. During the years, criminal groups evolved their operation and developed more sophisticated arsenals, achieving customization capabilities making them able to target specific organizations, even if they are not leveraging known Industry Standards. 

As recently pointed by Kaspersky, these criminals reached such sophistication and customization levels by leveraging deep knowledge of the target systems, making the malware work just on a small fraction of the AMTs. How the crooks accessed this knowledge is the Question.

At the moment it’s not clear how the technical information required to develop ad hoc malware have been accessed. A wide range of scenario are possible, such as the involvement of an insider, the long term compromise of the whole target network or just a small subset of mailboxes, or maybe a compromise of the Software Development Supply Chain. A set of scenarios that need to be seriously taken into account by the financial and banking organizations aiming to tackle modern bank thieves.

Indicato of Compromises

Hashes:

  • 0149667c0f8cbfc216ef9d1f3154643cbbf6940e6f24a09c92a82dd7370a5027

C2:

  • 150.100.248[.]18

Yara Rules

rule Java_ATM_Malware {
meta:
	description = "Yara Rule for Java ATM malware"
	author = "Cybaze - Yoroi ZLab"
	last_updated = "2019-07-18"
	tlp = "white"
	category = "informational"
strings:
	$h = {50 4B 03 04}
	$s1 = "Main-Class: injx2.INJX" ascii wide
	$s2 = "Agent-Class: injx2.Agent" ascii wide
	$a1 = "150.100.246.18" ascii wide
	$a2 = "Peripheral.Dispenser" ascii wide
	$b = "sun/tools/attach/WindowsAttachProvider" ascii wide
	
condition:
	$h and 1 of ($s*) and 1 of($a*) and $b
}

This blog post was authored by Antonio Farina and Luca Mella of Cybaze-Yoroi Z-LAB