VIDEO: Malware used to steal cash from ATM machines

VIDEO: Malware used to steal cash from ATM machines
Kaspersky has detailed an interesting and naughty piece of malware that allowed attackers to steal cash directly from some ATM machines running an embedded Microsoft Windows OS.

The malware was active on at least 50 ATM machines in Eastern Europe, but there is some evidence that it has spread beyond the region to many other countries, including Canada, France, India and the United States. Kaspersky Lab's Global Research and Analysis Team came to this conclusion based on statistics of submissions made to the popular VirusTotal service.

It is targeted at ATM machines made by a major manufacturer, running a 32-bit embedded Windows operating system, and it is smart enough to hide itself using several tactics.

What is interesting is Kaspersky cited security camera footage at locations of infected ATM machines that show a bootable CD was used to infect them. It transfers the malware to the device, performs some checks and then edits the registry to boot the malware, which then interacts with ATM through the standard library MSXFS.dll. which Kaspersky informs readers is "Extension for Financial Services (XFS)."

It then runs in an infinite loop waiting for user input, but it will only accept commands by default on Sunday and Monday nights. It accepts multiple commands from an operator, who then must press the Enter button the keypad to proceed. Another clever trick is clearly intended at making it so only the right people can manipulate the machine, by requiring that a session key be entered.

It uses a random seed for every session which is displayed on screen, and the operator needs to know the algorithm to generate a session key based on this random seed. If all goes right, the operator can now do some things you wish you could do at an ATM, like entering a cassette number and having the ATM dispense 40 banknotes from it.

Check out a video demonstration.

Source: SecureList (Kaspersky)

Written by: James Delahunty @ 9 Oct 2014 0:28
malware Kaspersky Tyupkin
Advertisement - News comments available below the ad
  • DXR88

    and the banks that employ these machines deserve to be hacked, who's the dumb ass that thought it would be a great idea to give the user access to a bootable device.

    if i found these machines i could probably scripts them to spit out everything they've got.

    Powered By

    12.10.2014 16:43 #1

  • xboxdvl2

    sounds like something that is commonly seen in movies where someone runs a laptop to the atm and makes the atm spit out heaps of money.

    custom built gaming pc from early 2010,ps2 with 15 games all original,ps3 500gbs with 5 games all original,yamaha amp and 5.1channel surround sound speakers,46inch sony lcd smart tv.

    13.10.2014 05:51 #2

© 2022 AfterDawn Oy

Hosted by
Powered by UpCloud