Skimer malware evolves, it is used to target ATMs

Pierluigi Paganini May 18, 2016

Experts at Kaspersky Lab have detected a new variant of  the Skimer malware used to steal money and payment card data from ATMs.

Security experts at Kaspersky Lab have spotted a new strain of the malware dubbed ‘Skimer’ (Backdoor.Win32.Skimer). Skimer is an old threat that has been around since 2009, it is used by criminal organizations to steal money and payment card data from ATMs.

The Skimer malware was one of the first threat specifically designed to directly target ATMs.

The researchers have detected 49 variants of the malware, most of them (37) specifically designed to compromise ATMs from a single manufacturer. The

Threat actors behind the malware have improved the Skimer threat over the time, the last variant that was spotted a few days ago is very hard to analyze.

“Kaspersky Lab has now identified 49 modifications of this malware, with 37 of these modifications targeting ATMs made by just one manufacturer. The most recent version was discovered at the beginning of May 2016.”

According to Kaspersky, bad actors used the using commercially available packer Themida to pack both the infector and the dropper.

Once the Skimer ATM malware is executed, it drops a file named netmgr.dll on the system. If the machine uses FAT32, the netmgr.dll is dropped in the System32 folder, if it uses NTFS, the file is placed in the NTFS data stream corresponding to an executable named SpiService.exe.

The SpiService.exe is associated with XFS, the Extension for Financial Services DLL library(MSXFS.dll) that is specifically used by ATMs. The library provides a special API for the communication with the ATM’s PIN pad and the cash dispenser.

The malicious code adds a new LoadLibrary call to SpiService.exe to allow the loading of the netmgr.dll library into the XFS service after the malware reboots the infected ATM.

The SpiService.exe is a service specific to ATM machine manufactured by the Diebold companies.

With this mechanism, Skimer gets the access to the XFS and is able to interact with all the connected peripherals.

compromised ATM

Kaspersky noticed that hackers can control the Skimer malware by using two types of cards that are specifically crafted. The authors of the malware use the data stored in the Track 2 to discriminate the two kinds of cards, one type for executing commands hardcoded in Track 2, the other to execute one of 21 predefined commands using the PIN pad and the malware interface.

“Once the magic card is inserted, the malware is ready to interact with two different types of cards, each with different functions:”

  1. Card type 1 – request commands through the interface
  2. Card type 2 – execute the command hardcoded in the Track2

Below some of the commands accepted by the malware interface:

  1. Show installation details;
  2. Dispense money – 40 notes from the specified cassette;
  3. Start collecting the details of inserted cards;
  4. Print collected card details;
  5. Self delete;
  6. Debug mode;
  7. Update (the updated malware code is embedded on the card).

The experts noticed that Track2 hardcoded commands could be easily discovered by security solutions used to protect the ATMs.

“Banks may be able to proactively look for these card numbers inside their processing systems, and detect potentially infected ATMs, money mules, or block attempts to activate the malware.” states the post published by Kaspersky.

The researchers also recommend a series of counter measured that includes:

  • Regular AV scans
  • Whitelisting technologies
  • Device management policy
  • Full disk encryption
  • Password protected BIOS
  • Only implements HDD booting
  • Separate ATM network from any other internal bank networks.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – ATM, Skimer)



you might also like

leave a comment