Security Experts:

RIPPER ATM Malware Linked to Thailand Heist

The malicious software used earlier this month to steal 12 million baht ($346,000) from ATMs at banks in Thailand might be a new ATM malware variant called RIPPER, FireEye researchers reveal.

The new malware sample was originally observed on Aug. 23, 2016, when it was uploaded to VirusTotal from an IP address in Thailand, just minutes before the 12 million baht theft made it to the headlines. According to FireEye researchers, the sample also uses some techniques not seen before.

The malware is called RIPPER because researchers found the “ATMRIPPER” name in the sample.

The group behind this operation installed malware into multiple cash machines run by Thailand's state-run Government Savings Bank (GSB) in late July. The thieves were linked to the previously revealed $2.5 million heist in Taiwan, where a group of foreigners stole money from cash machines using a similar method.

The new malware variant packs a series of features that tie it to previous ATM malware, such as its ability to target the same ATM brand, or the use of the same strategy as Padpin (Tyupkin), SUCEFUL, and GreenDispenser, to expel currency. The malware enforces a limit of 40 bank notes per withdrawal consistently, which is the maximum allowed by the ATM vendor.

Moreover, the malware can control the Card Reader device to Read or Eject the card on demand, the same as SUCEFUL, and can disable the local network interface, similar to the Padpin family. The malware was also connected to GreenDispenser because of its ability to use the “sdelete” secure deletion tool to remove forensic evidence.

However, the sample also shows a range of new capabilities, starting with its ability to target three of the main ATM Vendors worldwide, something that no other malware did before, FireEye says. What’s more, RIPPER is being installed on the ATM through the insertion of a specially manufactured ATM card with an EMV chip that serves as the authentication mechanism. The Skimmer family used this technique before, but the method is uncommon, FireEye notes.

Analysis of the malware has revealed that it can maintain persistence either as a standalone service or masquerading as a legitimate ATM process. When RIPPER is installed as a service, first killk the process “dbackup.exe”, then replaces the original dbackup.exe binary with itself. Next, it installs a persistent service “DBackup Service,” and can stop/start, and even delete it.

The malware supports other command line switches as well, such as /autorun, which causes it to sleep for 10 minutes and then run in the background, waiting for interaction, and /install, which causes it to replace the ATM software running on the ATM. Using the native Windows “taskkill” tool, RIPPER kills the processes running in memory for three targeted ATM Vendors, then it replaces the legitimate executables with itself.

“RIPPER will maintain persistence by adding itself to the \Run\FwLoadPm registry key (that might already exist as part of the vendor installation), passing the “/autorun” parameter that is understood by the malware,” FireEye researchers explain. The malware is also able to remove the registry keys with the /uninstall command.

When RIPPER is executed without any parameters, it performs a series of actions, such as connecting with the Cash Dispenser, Card Reader, and the Pinpad. The malware can identify the current devices by enumerating them and can make sure these devices are available by querying their status. If they are not available, the malware exits.

RIPPER was also designed to obtain Dispenser information such as the Cash Unit details to determine the number and type of available notes. Next, it starts two threads, one to monitor the status of the ATM devices to make sure they are available and to read all the keystrokes received from the Pinpad, and the second to monitor the Card Reader (once a card is inserted it validates the EMV chip for authentication to the ATM Malware).

When a card with a malicious EMV chip is detected, RIPPER starts a timer to allow a thief to control the machine. The attackers can interact with RIPPER via the Pinpad and have multiple options at their disposal, including methods for dispensing currency.

Directly from the ATM machine, the thieves can clear logs, shut down the ATM local network interface to prevent it from communicating with the bank, reboot the system, and eject the malicious ATM card.

“Through open sources, we’ve identified a family of malware that may have been used in recent ATM robberies and which bears some similarities to known families of malware. This malware family can be used to compromise multiple vendor platforms and leverages uncommon technology to access physical devices. In addition to requiring technical sophistication, attacks such as that affecting the ATMs in Thailand require coordination of both the virtual and the physical,” FireEye researchers note.

Related: ATM Thief Sent to Prison for Stealing Nearly $1 Million

Related: Authorities Disrupt ATM Skimming Operation

view counter