ATM malware found in the wild

GreenDispenser malware cuts out the middleman in banking cyber fraud - enables attackers to directly drain banks' cash machines

Malware designed to run on ATMs and to steal cash directly from cash machines, rather than emptying users' bank accounts, has been found working in the wild.

When installed, the ATM displays an "out of service" message enabling the attackers to log-in via a twin authentication process to set-up the robbery, while ensuring that no-one else can hijack the heist.

According to security services company Proofpoint, GreenDispenser is a variant of the malware family that includes "Suceful", "Plotus" and "Padpin" (also known as Tyupkin).

"GreenDispenser provides an attacker with the ability to walk up to an infected ATM and drain its cash vault. When installed, GreenDispenser may display an ‘out of service' message on the ATM - but attackers who enter the correct pin codes can then drain the ATM's cash vault and erase GreenDispenser using a deep delete process, leaving little if any trace of how the ATM was robbed," claims Proofpoint.

The malware has been coded to interact with the XFS middleware widely adopted by ATM makers.

"The XFS middleware allows software to interact with the peripherals connected to the ATM, such as the pinpad and the cash dispenser, by referencing the specific peripheral name. GreenDispenser has the ability to target ATM hardware from multiple vendors using the XFS standard. It achieves this by querying for peripheral names from the registry hive before defaulting to hardcoded peripheral names.

The malware strains Proofpoint inspected were coded to run only if the year was 2015 and the month was earlier than September, suggesting that GreenDispenser was employed in a limited operation and designed to deactivate itself to avoid detection, according to Proofpoint.

GreenDispenser employs authentication using a static hard-coded PIN, it continues, followed by a second layer of authentication using a dynamic PIN, which is unique for each run of the malware. The attacker derives this second PIN from a QR code displayed on the screen of the infected cash machine.

"We suspect that the attacker has an application that can run on a mobile phone with functionality to scan the barcode and derive the second PIN -- a two-factor authentication of sorts. This feature ensures that only an authorised individual has the ability to perform the heist. In addition, GreenDispenser has the capability to perform a deep delete after the heist to prevent forensic analysis," according to Proofpoint.

However, the attackers would need to get physical access to the cash machines, at some point, in order to infect them in the first place.

Only this month, security specialist Brian Krebs claims that organised criminals, seemingly from Eastern Europe, were bribing ATM technicians to place malware onto cash machines around the tourist hotspot of Cancun, Mexico, which is particular popular with Americans.

Krebs's description of the Cancun ATM malware partly dovetails with Proofpoint's own Threat Insight warning, although the attackers, in that case, added a Bluetooth device to the ATM in order to communicate remotely.

"According to my source, several of his employer's ATM installation and maintenance technicians in the Cancun area reported recently being approached by men with Eastern European accents, asking each tech if he would be interested in making more than 100 times his monthly salary just for providing direct, physical access to the inside of a single ATM that the technician served," wrote Krebs.

He continued: "One of my source's co-workers was later found to have accepted the bribes, which apparently had only grown larger and more aggressive after technicians in charge of specific, very busy ATMs declined an initial offer.

"My source said his company fired the rogue employee who'd taken the bait, but that the employee's actions had still been useful because experts were now able to examine the skimming technology first-hand. The company tested the hardware by installing it into ATMs that were not in service. When they turned the devices on, they discovered each component was beaconing out the same Bluetooth signal: 'Free2Move'."