A newly discovered family of malware targeting ATMs (automated teller machines) has been designed with the sole purpose of emptying cash from the safes of the self-serve machines, Trend Micro security researchers warn.
Dubbed Alice, the malware is the most stripped down ATM threat seen to date. The malware has no information stealing capabilities and can’t even be controlled via the ATM’s numeric keypad. Initially discovered in November 2016, Alice is believed to have been around since 2014, and Trend Micro says that it is only the eighth ATM malware family seen to date, although such threats have been around for over nine years.
Use of the malware requires physical access to an ATM, and Trend Micro suggests that it has been designed for money mules to steal all the money available in an attacked cash machine, something that malware such as GreenDispenser was seen doing last year.
Unlike that piece of malware, however, the new threat doesn’t connect to the ATM’s PIN pad and can also be used via Remote Desktop Protocol (RDP), although Trend Micro says that there’s no evidence of such use as of now.
Malware analysis revealed that Alice (the name was included in the version information of the binary) was packed with a commercial, off-the-shelf packer/obfuscator called VMProtect, which prevents execution inside debuggers. Further, the malware checks its environment before execution and terminates itself if it determines it isn’t running on an ATM (it checks for a couple of registry keys and also requires specific DLLs to be installed on the system).
When running on a machine, Alice writes two files in the root directory, namely an empty 5 MB+ sized file called xfs_supp.sys and an error logfile called TRCERR.LOG. Next, it connects to the CurrencyDispenser1 peripheral, which is the dispenser device in the XFS environment and, if a correct PIN is provided, it displays information on the various cassettes with money loaded inside the machine.
Because the malware only connects to the CurrencyDispenser1 peripheral and doesn’t attempt to use the machine’s PIN pad, the researchers believe that the attackers physically open the ATM and infect it via USB or CD-ROM. Moreover, they suggest that the actors connect a keyboard to the machine’s mainboard and operate the malware through it.
The security researchers discovered that Alice supports three commands, each issued via specific PINs: one to drop a file for uninstallation, another to exit the program and run the uninstallation/cleanup routine, and a third to open the “operator panel.” This panel is where information on the cash available inside the ATM is displayed.
The attacker simply needs to enter the cassette’s ID for the ATM to dispense the money in it. The dispense command is sent to the CurrencyDispenser1 peripheral via the WFSExecute API. With ATMs typically having a 40-banknote dispensing limit, the attacker might have to perform the same operation multiple times to empty all the cash stored in a cassette. Information on the available cash is dynamically updated on the screen, so the attacker knows when a cassette is empty.
Trend Micro believes that the attackers manually replace the Windows Task Manager on the targeted machines with Alice, because the malware is usually found on infected systems in the form of taskmgr.exe. The malware doesn’t have a persistence method, but having it run as Task Manager means that Alice is invoked every time a command is issued to invoke the Task Manager.
“The existence of a PIN code prior to money dispensing suggests that Alice is used only for in-person attacks. Neither does Alice have an elaborate install or uninstall mechanism - it works by merely running the executable in the appropriate environment,” the researchers say.
The PIN authentication system is similar to that used by other ATM malware families, but it also provides the malware author with control over who has access to Alice. By changing the access code between samples, the author either prevents money mules from sharing the code or keeps track of individual money mules, or both.
The analyzed sample used a 4-digit passcode, but other samples could use longer PINs. The PIN cannot be brute-forced, as the malware would accept a limited number of inputs before terminating itself and displaying an error message. The researchers also believe that Alice was designed to run on any vendor’s hardware configured to use the Microsoft Extended Financial Services middleware (XFS).
“Up until recently, ATM malware was a niche category in the malware universe, used by a handful of criminal gangs in a highly targeted manner. We are now at a point where ATM malware is becoming mainstream,” Trend Micro researchers say.