In this lab, you are tasked with analyzing a sophisticated piece of malware, named ATMii, that exploits ATM software to dispense cash illicitly. This exercise is crucial for understanding how attackers leverage legitimate system APIs and interfaces to compromise critical financial infrastructure. The analysis focuses on dissecting the malware's methods, uncovering its attack vectors, and exposing its dependencies on specific APIs and files. By doing so, we can develop robust countermeasures to protect financial institutions from similar threats.
The investigation relies heavily on static analysis techniques using tools such as Ghidra and IDA Free.
Static analysis involves examining the malware's code and structure without executing it, making it a safe and efficient approach for understanding malicious behavior. In this lab, you will analyze strings, imports, and cross-references within the malware's binary, enabling you to trace its functionality step by step. Critical operations like process injection, memory manipulation, and API hooking are examined to reveal how the malware interacts with ATM hardware and manipulates system operations.
Key insights include identifying the API functions and libraries used by the malware, such as WFSExecute and WFSGetInfo from the MSXFS.dll module, which allow direct control over ATM hardware. Additionally, you will analyze how the malware hooks legitimate APIs, injects shellcode into memory, and retrieves operational parameters from configuration files. This walkthrough emphasizes how the malware's design leverages the XFS API, a standard in ATM software, to by