14 DAY TRIAL // Two banks in Russia were hit by fileless malware that allowed attackers to get away with $800,000 in a single night. Had it not been for surveillance cameras, the banks wouldn't have even known something was amiss.
So how does this whole thing work? Well, this type of fileless malware uses the legitimate tools on the ATM machine so that no malware gets installed on the system. Alternatively, attackers use malware that resides only in the infected machines' RAM, rather than on the hard drive. Once it's gone, there's very little evidence it was even there.
During Kaspersky's Security Analyst Summit, the firm's principal security researcher Sergey Golavanov delved into the attack that targeted two Russian banks.
With no malware evidence in its systems, the banks had CCTV recordings showing a culprit walking to the ATM and grabbing stacks of bills like it was the most natural thing in the world. About $100,000 worth of cash was taken from each machine and it took less than 20 minutes to clean an ATM dry before moving on to the next.
A single clue was left behind - two log files that recorded everything that took place on the machines before the money was taken. The logs included one line in English - "Take the money [expletive]."
An epidemic
The running theory at Kaspersky is that these files were left behind by mistake when the malware was being uninstalled and that this line was probably displayed on the ATM's screen, telling the money mule to start grabbing the cash.
This type of fileless malware attacks are becoming more frequent. In a Kaspersky report on the topic, the company said that such attacks targeted more than 140 banks across Europe, the United States and elsewhere, but there are little details about how much was stolen with this technique.