A forensic investigation into cyberattacks against ATM machines has led to the discovery of malware used to steal millions of dollars.
This new malware has been dubbed Backdoor.MSIL.Tyupkin by Kaspersky Lab and affects ATM machines from a major ATM manufacturer that run on Microsoft Windows 32-bit. It was found on more than 50 machines in Eastern Europe. Based on submissions to VirusTotal, it is believed the malware has spread to other regions as well, including India, China and the United States.
Most of the samples analyzed by Kaspersky Lab were compiled around March 2014, but the malware has evolved over time. The last variant (version .d) uses anti-debug and anti-emulation techniques and disables McAfee Solidcore from the infected system, according to the researchers.
“The malware uses several sneaky techniques to avoid detection,” according to Kaspersky Lab’s Global Research & Analysis Team (GReAT), which was called in by a financial institution to investigate the situation. “First of all, it is only active at a specific time at night. It also uses a key based on a random seed for every session. Without this key, nobody can interact with the infected ATM.”
When the key is entered correctly however, the malware displays information on how much money is available in every cash cassette, and allows an attacker with physical access to the machine to withdraw 40 notes from the selected cassette.
The first step for the attackers is to gain access to the ATM. At that point, they insert a bootable CD to install the Tyupkin malware. After the system is rebooted, the infected ATM is under the control of the attacker, and the malware runs in an infinite loop waiting for a command. According to the researchers, the malware only accepts commands at specific times on Sunday and Monday nights
“Over the last few years, we have observed a major upswing in ATM attacks using skimming devices and malicious software,” said Vicente Diaz, principal security researcher at Kaspersky Lab, in a statement. “Now we are seeing the natural evolution of this threat with cyber-criminals moving up the chain and targeting financial institutions directly.”
The Tyupkin malware, he noted, is an example of the attackers taking advantage of weaknesses in the ATM infrastructure. Financial organizations are strongly advised to review the physical security of their machines as well as their network infrastructure, he added. In particular, Kaspersky Lab suggests organizations replace all locks and master keys on the upper hood of the ATM machines and get rid of the defaults provided by the manufacturer. In addition, banks should install an alarm and ensure it works, as the cybercriminals behind the attacks only infected ATMs without alarms installed.
“Since criminals require physical access to the ATM, that severely limits what can be achieved,” said Jean-Philippe Taggart, senior security researcher at Malwarebytes. “Europe has many ATMs directly on the street, and that makes them somewhat more vulnerable to physical attack. The session key required in this attack prevents a rogue mule from taking over the scam. It attacks the bank infrastructure directly, so while customers’ accounts are not being drained, they will feel the pain when the banks transfer the costs of fraud over with higher fees. Banks will likely not tighten their ATM security stance until cost analysis shows that this type of attack is costing them enough to warrant it.”
“Tyupkin malware doesn’t seem like a big deal at this point,” Taggart added. “The larger issue is that the banks still do risk analysis and fraud budgets to evaluate if the problem needs immediate attention, rather than addressing the problem from the get go.”
INTERPOL alerted the affected member countries and is assisting ongoing investigations.
“Offenders are constantly identifying new ways to evolve their methodologies to commit crimes, and it is essential that we keep law enforcement in our member countries involved and informed about current trends and modus operandi,” said Sanjay Virmani, director of the INTERPOL Digital Crime Centre, in a statement.