The method was a complete mystery, and the only clues left behind were files containing a single line of English text: "Take the money, bitch."
It was fast and furious, and if not for the surveillance cameras that captured the heist in action, two banks in Russia would never have known what occurred last year when eight of their ATMs were drained of cash—nearly a million dollars worth of rubles in a single night.
When one of the banks contacted the Russian cybersecurity firm Kaspersky Lab to investigate, the only evidence was CCTV recordings showing a lone culprit walking up to the ATMs and, without even touching the machines, grabbing thick stacks of bills—about $100,000 worth of cash from each machine, dispensed 40 bills at a time—as they magically spit out. It took less than 20 minutes to clean one machine dry before the money mule moved on to other ATMs in the city and replayed the scene.
The method behind the feat was a complete mystery. The bank could find no malware on its ATMs or backend network, and no sign of an intrusion either. But the attackers did inadvertently leave one clue behind—two log files that recorded everything that occurred on the machines before the money disappeared. The logs included one telling line of English text ("Take the money bitch") which turned out to be their undoing.
"Our theory is that during the uninstall [of the malware], something went wrong with the malware and that's why the [log] files were left," says Sergey Golovanov, principal security researcher with Kaspersky in Russia, who investigated the heists.
Earlier this year, Kaspersky reported that a rash of invisible "fileless" attacks had targeted more than 140 banks and other targets in Europe, the US and elsewhere, but provided few details about the victims or the degree to which the attacks succeeded.
Fileless malware attacks use the existing legitimate tools on a machine so that no malware gets installed on the system, or they use malware that resides only in the infected machine's random-access-memory, rather than on the hard drive, so that the malware leaves no discernible footprint once it's gone.
The two Russian banks that got robbed in that single night were victims of a fileless attack, and today at Kaspersky's Security Analyst Summit on the island of St. Maartens, Golovanov revealed the story behind the attacks.
Golovanov told Motherboard in an interview before the conference that when he and his colleagues examined the two log files containing the English text, they laughed at the boldness. The heist worked in three stages, with the first two using commands that instructed the ATM to withdraw the bills stored in cassettes and place them in line to be dispensed, and the third stage using a command that opened the mouth of the ATM. It was at this point that the command, "Take the money bitch," appeared in the log file, and possibly on the ATM's screen as well to signal the money mule to grab the bills and go.
The command, "Take the money bitch," appeared in the log file, and possibly on the ATM's screen as well to signal the money mule to grab the bills and go.
The log files made it obvious that the bank had been hacked, but the researchers needed samples of the missing malware that had been on the machines to see how the robbers had pulled it off. So Golovanov and his team created a YARA rule for the line of English text they found in the logs—YARA is a tool that lets researchers sift through a lot of files and networks using a search string—and used it to search files submitted to .
VirusTotal is a website that aggregates dozens of antivirus programs in one spot. Security researchers and others can submit suspicious files to the site to see if any of the programs detect them as malicious. Golovanov's team found a match with two files that someone had uploaded from Russia and Kazakhstan.
They reverse-engineered the code and dug through the bank's network to reconstruct how the attack occurred, discovering that the hackers built extensive digital tunnels throughout the bank's network, which they used to issue PowerShell commands to the ATMs. This allowed the attackers to control the machines in real-time when the money mule was present.
No arrests have been made in the heist yet. Kaspersky thinks the culprits might be connected to one of two previously known gangs of bank hackers, known as and Carbanak.
"It could be just one person or two persons [doing this]," Golovanov says, noting that the CCTV images seemed to show the same person extracting money from all the ATMs.
Golovanov says that tracking fileless attacks is difficult but not impossible.
"To address these issues, memory forensics is becoming critical to the analysis of malware and its functions," he noted in a statement released by Kaspersky. "And as our case proves, a carefully directed incident response can help solve even the perfectly prepared cybercrime."
Subscribe to pluspluspodcast, Motherboard's new show about the people and machines that are building our future.