New Alice ATM Malware, a lightweight and efficient threat

Pierluigi Paganini December 21, 2016

Alice ATM malware is a new threat targeting ATMs discovered by researchers at Trend Micro  as part of a joint research project with Europol EC3.

Security experts from Trend Micro have discovered a strain of ATM malware, dubbed Alice, that was designed to target the safes of the self-serve machines.

The malware is very essential, it doesn’t implement data stealing capabilities and cannot be controlled via the numeric keypad of the ATM.

Researchers spotted for the first time the Alice ATM malware in November 2016 as part of a joint research project on ATM malware with Europol EC3, but they speculate is has been around since 2014.

When Alice was spotted for the first time, researchers thought if was a new variant of the known ATM malware Padpin .Further investigation led to the discovery of a new a new family called Alice.

“Trend Micro has discovered a new family of ATM malware called Alice, which is the most stripped down ATM malware family we have ever encountered.” states the analysis published by Trend Micro.”Unlike other ATM malware families, Alice cannot be controlled via the numeric pad of ATMs; neither does it have information stealing features. It is meant solely to empty the safe of ATMs.”

Alice ATM malware

According to the researcher, crooks need to physically access the ATM in order to empty its dispenser, a circumstance that suggests Alice has been designed for money mules.

“The existence of a PIN code prior to money dispensing suggests that Alice is used only for in-person attacks. Neither does Alice have an elaborate install or uninstall mechanism – it works by merely running the executable in the appropriate environment,” the researchers say.

The Alice ATM malware can also be used via Remote Desktop Protocol (RDP), but researchers haven’t found evidence of such use.

When Alice is executed, it creates in the root directory an empty 5 MB+ sized file called xfs_supp.sys and an error logfile called TRCERR.LOGThe first file is filled with zeros and doesn’t contain data, the second file (TRCERR.LOG) is an error log file used by the Alice malware. The log file traces any XFS API calls and related messages/errors. This file remains on the machine even when the malware is removed, likely for future troubleshooting or simply because the vxers forgot to remove it.

The researchers noticed that the malware only connects to the CurrencyDispenser1 peripheral and doesn’t include the code to use the PIN pad, likely it was designed to allow crooks with a physical access to the ATM to infect it via USB or CD-ROM.

“It only connects to the CurrencyDispenser1 peripheral and it never attempts to use the machine’s PIN pad. The logical conclusion is that the criminals behind Alice need to physically open the ATM and infect the machine via USB or CD-ROM, then connect a keyboard to the machine’s mainboard and operate the malware through it.” continues the analysis.

The Alice ATM malware was packed with a commercial, off-the-shelf packer/obfuscator called VMProtect. The malware implements a number of features to avoid the analysis of the researchers, it prevents the execution in environments that are not ATM and debuggers.

Alice supports the following three commands each issued via specific PINs:

  • Drop a file for uninstallation.
  • Exit the program run the uninstallation/cleanup routine.
  • Open the “operator panel,” to see the amount of cash available into the ATM.

In the attack scenario, the money mule enter the ID of the cassette ID for the ATM to dispense the money in it. The dispense command is sent to the CurrencyDispenser1 peripheral via the WFSExecute API.

ATMs typically have a 40-banknote dispensing limit, this means that crooks need to repeat the operation multiple times to dispense all the stored cash in the cassette.

Alice has no persistence method, crooks manually replace the Windows Task Manager (taskmgr.exe) with Alice, any command that would invoke the Task Manager would instead invoke Alice.

The report also includes the Indicators of Compromise, below the SHA256 hashes of the malware:

  • 04F25013EB088D5E8A6E55BDB005C464123E6605897BD80AC245CE7CA12A7A70
  • B8063F1323A4AE8846163CC6E84A3B8A80463B25B9FF35D70A1C497509D48539

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Alice ATM malware, cybercrime)

you might also like

leave a comment