Security experts at Kaspersky Lab have spotted a new strain of the malware dubbed ‘Skimer’ (Backdoor.Win32.Skimer). Skimer is an old threat that has been around since 2009, it is used by criminal organizations to steal money and payment card data from ATMs.
The Skimer malware was one of the first threat specifically designed to directly target ATMs.
The researchers have detected 49 variants of the malware, most of them (37) specifically designed to compromise ATMs from a single manufacturer. The
Threat actors behind the malware have improved the Skimer threat over the time, the last variant that was spotted a few days ago is very hard to analyze.
“Kaspersky Lab has now identified 49 modifications of this malware, with 37 of these modifications targeting ATMs made by just one manufacturer. The most recent version was discovered at the beginning of May 2016.”
According to Kaspersky, bad actors used the using commercially available packer Themida to pack both the infector and the dropper.
Once the Skimer ATM malware is executed, it drops a file named netmgr.dll on the system. If the machine uses FAT32, the netmgr.dll is dropped in the System32 folder, if it uses NTFS, the file is placed in the NTFS data stream corresponding to an executable named SpiService.exe.
The SpiService.exe is associated with XFS, the Extension for Financial Services DLL library(MSXFS.dll) that is specifically used by ATMs. The library provides a special API for the communication with the ATM’s PIN pad and the cash dispenser.
The malicious code adds a new LoadLibrary call to SpiService.exe to allow the loading of the netmgr.dll library into the XFS service after the malware reboots the infected ATM.
The SpiService.exe is a service specific to ATM machine manufactured by the Diebold companies.
With this mechanism, Skimer gets the access to the XFS and is able to interact with all the connected peripherals.
Kaspersky noticed that hackers can control the Skimer malware by using two types of cards that are specifically crafted. The authors of the malware use the data stored in the Track 2 to discriminate the two kinds of cards, one type for executing commands hardcoded in Track 2, the other to execute one of 21 predefined commands using the PIN pad and the malware interface.
“Once the magic card is inserted, the malware is ready to interact with two different types of cards, each with different functions:”
Below some of the commands accepted by the malware interface:
The experts noticed that Track2 hardcoded commands could be easily discovered by security solutions used to protect the ATMs.
“Banks may be able to proactively look for these card numbers inside their processing systems, and detect potentially infected ATMs, money mules, or block attempts to activate the malware.” states the post published by Kaspersky.
The researchers also recommend a series of counter measured that includes:
(Security Affairs – ATM, Skimer)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.