Cyber Security researchers have identified a new malware that affects ATMs. The malware strain is named ‘ATMii’ which affects those ATMs running Windows 7 and Windows Vista.
We have come across several attacks targeting banking sector in the year 2017. Cyber Security researchers have identified a new malware that affects ATM machines. The malware strain is named ‘ATMii’ which affects those ATMs running Windows 7 and Windows Vista.The malware ATMii takes an unusual approach in its operation because it uses the legitimate atmapp process to dispense cash using two simple applications. Furthermore, the hackers need either physical or network access to the machine to carry out this attack. The majority of the ATMs today use a stripped down version of Windows XP, hence the malware won't function on these machines. So these malware appears to be targeted towards those ATMs running Win7 and Vista.
Origin of ATMii
ATMii malware originated earlier in April 2017, when one of the infected banks shared a sample with Kaspersky Lab researchers. On investigation, they have published a technical breakdown of the malware's capabilities.According to Konstantin Zykov (Kaspersky senior developer) : “ the malware is not as sophisticated as similar ATM malware strains”. The ATMii malware consist of just two files: 1) exe.exe (injector module) 2) dll.dll. (module to be injected)You may be interested in reading:FormBook, a new Malware Spreading in US & S.Korea! Spotted by FireEye Researchers!
How is ATMii installed in ATMs?
Step 1: To install the ATMii malware on ATMs, the criminal requires either network or USB access to the target device. Step 2: Once the access is gained, he ‘ll copy the files mentioned earlier on the ATM's storage drive and run exe.exe. Step 3: This file then looks for the standard atmapp.exe (proprietary ATM software) process and infects it with the dll.dll file. Step 4: The injected DLL file will allow the attacker to interact with the legitimate atmapp.exe process and thus can take over the complete control on the ATM.Four ATMii Commands
Now the ATM is infected with the malicious malware ATMii. You might be obviously wondering what this malware does to the ATM once affected. Yes, ATMii infected ATMs perform four malicious commands. 1) ‘Scan’ command: Finds the dispense service 2) ‘Info’ command: The malware operators scan the ATM's cash cassettes to get an idea about the exact list of bills that ATM contains to dispense cash. 3) ‘disp’ command: At this point of time, they can command ATM to dispense a particular amount of cash that is desired. It includes two parameters - currency and amount. 4) ‘die’ command: They vandalize the malware by deleting a local config file (C:ATMc.ini ). Konstantin Zykov recommends that banks should take the appropriate measures to limit and restrict network or physical access to an ATM's ports. Apart from ATMii, other malicious ATM malware strains in the light past few years include ATMitch, GreenDispenser, Alice, Ploutus, RIPPER, Skimer, and SUCEFUL.Conclusion by Kaspersky Researchers:
ATMii is yet another example of how criminals can use legitimate proprietary libraries and a small piece of code to dispense money from an ATM. Some appropriate countermeasures against such attacks are default-deny policies and device control. The first measure prevents criminals from running their code on the ATM’s internal PC, while the second one will prevent them from connecting new devices, such as USB sticks.How to Prevent?
- Harden access to atm hardware and secure all open ports
- Keep software stacks up to date
- Follow network security best practices
- Real-time monitoring of hardware and software events