The use of malicious code to hack ATM is even more common in the criminal ecosystem, in the past security experts have discovered several strain of malware that was designed with this intent.
The last threat discovered by security experts at Proofpoint is “GreenDispenser,” a malware that presents many similarities with the Tyupkin malware.
The installation GreenDispenser requests a physical access to the targeted ATM, then the attacker can instruct the machine directly from the PIN pad and order the machine to dispense cash.
“GreenDispenser provides an attacker the ability to walk up to an infected ATM and drain its cash vault. When installed, GreenDispenser may display an ‘out of service’ message on the ATM — but attackers who enter the correct pin codes can then drain the ATM’s cash vault and erase GreenDispenser using a deep delete process, leaving little if any trace of how the ATM was robbed.” states the experts at Proofpoint.
Similar to other ATM malware, GreenDispenser implements the XFS, the Extension for Financial Services DLL library(MSXFS.dll) that is specifically used by ATMs. The library provides a special API for the communication with the ATM’s PIN pad and the cash dispenser.
The experts highlighted that GreenDispenser represents an evolution of the Tyupkin ATM malware, the menu used to control the ATM is protected by a two-factor authentication (2FA) mechanism and the malware is designed to operate only for a limited period of time.
According to Proofpoint, the first PIN is hardcoded meanwhile the second code is obtained by decoding a QR code displayed on the screen. The researchers believe cyber criminals likely use a mobile app to decode the QR code and obtain the dynamic authentication code.
The GreenDispenser ATM malware attempts to obtain the names of the PIN pad and the cash dispenser by querying specific registry location, if this method fails it tries the default names “Pinpad1” and “CurrencyDispener1.”
Once the fraudster is authenticated to the ATM, the machine displays a menù that is used to dispense money such as uninstall the malware.
The CurrencyDispener ATM malware checks the current date before running, it is designed to operate in 2015 and the month must be ot prior to September. The feature has been implement to deactivate the malware avoid detection.
The experts have no doubt, the ATM will continue to be a privileged instrument for crooks that will improve their malicious code to avoid detection.
“ATM malware continues to evolve, with the addition of stealthier features and the ability to target ATM hardware from multiple vendors,” states Proofpoint.
(Security Affairs – ATM malware, CurrencyDispener)