Connect with us

Hi, what are you looking for?


Malware & Threats

ATM Malware Allows Attackers to Steal Millions

A forensic investigation into cyberattacks against ATM machines has led to the discovery of malware used to steal millions of dollars.

A forensic investigation into cyberattacks against ATM machines has led to the discovery of malware used to steal millions of dollars.

This new malware has been dubbed Backdoor.MSIL.Tyupkin by Kaspersky Lab and affects ATM machines from a major ATM manufacturer that run on Microsoft Windows 32-bit. It was found on more than 50 machines in Eastern Europe. Based on submissions to VirusTotal, it is believed the malware has spread to other regions as well, including India, China and the United States.

Most of the samples analyzed by Kaspersky Lab were compiled around March 2014, but the malware has evolved over time. The last variant (version .d) uses anti-debug and anti-emulation techniques and disables McAfee Solidcore from the infected system, according to the researchers.

“The malware uses several sneaky techniques to avoid detection,” according to Kaspersky Lab’s Global Research & Analysis Team (GReAT), which was called in by a financial institution to investigate the situation. “First of all, it is only active at a specific time at night. It also uses a key based on a random seed for every session. Without this key, nobody can interact with the infected ATM.”

Advertisement. Scroll to continue reading.

When the key is entered correctly however, the malware displays information on how much money is available in every cash cassette, and allows an attacker with physical access to the machine to withdraw 40 notes from the selected cassette.

The first step for the attackers is to gain access to the ATM. At that point, they insert a bootable CD to install the Tyupkin malware. After the system is rebooted, the infected ATM is under the control of the attacker, and the malware runs in an infinite loop waiting for a command. According to the researchers, the malware only accepts commands at specific times on Sunday and Monday nights

“Over the last few years, we have observed a major upswing in ATM attacks using skimming devices and malicious software,” said Vicente Diaz, principal security researcher at Kaspersky Lab, in a statement. “Now we are seeing the natural evolution of this threat with cyber-criminals moving up the chain and targeting financial institutions directly.”

The Tyupkin malware, he noted, is an example of the attackers taking advantage of weaknesses in the ATM infrastructure. Financial organizations are strongly advised to review the physical security of their machines as well as their network infrastructure, he added. In particular, Kaspersky Lab suggests organizations replace all locks and master keys on the upper hood of the ATM machines and get rid of the defaults provided by the manufacturer. In addition, banks should install an alarm and ensure it works, as the cybercriminals behind the attacks only infected ATMs without alarms installed.

“Since criminals require physical access to the ATM, that severely limits what can be achieved,” said Jean-Philippe Taggart, senior security researcher at Malwarebytes. “Europe has many ATMs directly on the street, and that makes them somewhat more vulnerable to physical attack. The session key required in this attack prevents a rogue mule from taking over the scam. It attacks the bank infrastructure directly, so while customers’ accounts are not being drained, they will feel the pain when the banks transfer the costs of fraud over with higher fees. Banks will likely not tighten their ATM security stance until cost analysis shows that this type of attack is costing them enough to warrant it.”

“Tyupkin malware doesn’t seem like a big deal at this point,” Taggart added. “The larger issue is that the banks still do risk analysis and fraud budgets to evaluate if the problem needs immediate attention, rather than addressing the problem from the get go.”

INTERPOL alerted the affected member countries and is assisting ongoing investigations.

“Offenders are constantly identifying new ways to evolve their methodologies to commit crimes, and it is essential that we keep law enforcement in our member countries involved and informed about current trends and modus operandi,” said Sanjay Virmani, director of the INTERPOL Digital Crime Centre, in a statement.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...