Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

“GreenDispenser” ATM Malware Allows Attackers to Steal Cash

Researchers have discovered a new piece of malware designed to target ATMs and allow malicious actors to quickly empty a machine’s cash vault.

Stealing payment cards or card data can be lucrative for cybercriminals, but walking up to an ATM and commanding it to hand over all the money in its cash vault is much more profitable.

Researchers have discovered a new piece of malware designed to target ATMs and allow malicious actors to quickly empty a machine’s cash vault.

Stealing payment cards or card data can be lucrative for cybercriminals, but walking up to an ATM and commanding it to hand over all the money in its cash vault is much more profitable.

ATM malware such as Ploutus and Tyupkin (Padpin) are believed to have been used to steal large amounts of money directly from cash machines, and now there’s a new piece of crimeware developed for this purpose.

The new threat, dubbed “GreenDispenser” by experts at Proofpoint, is similar to Tyupkin. Attackers need physical access to the targeted ATM in order to install the malware. Once this step is completed, they can instruct the machine from its PIN pad to dispense cash.

While GreenDispenser is similar to Tyupkin, researchers say it has a couple of additional noteworthy features: the menu from which the ATM is instructed to dispense cash is protected by two-factor authentication (2FA), and the malware is designed to operate only for a limited period of time.

Similar to other ATM malware, GreenDispenser communicates with the cash machine’s hardware components, such as the PIN pad and the cash dispenser, via XFS, a piece of middleware that provides a client-server architecture for devices used in the financial industry.

The malware attempts to obtain the peripheral names for the PIN pad and the cash dispenser by querying certain registry location. If that doesn’t work, it uses the names “Pinpad1,” respectively “CurrencyDispener1,” which are the default values for specific ATMs.

When the malware is installed on an ATM, it might display a message written in English or Spanish indicating that the machine is out of service. While regular cardholders might walk away from the machine when seeing the error, the fraudsters simply type in a couple of PINs and they gain access to the malware’s menu.

According to Proofpoint, the first PIN is hardcoded, but the second PIN, which is part of a 2FA mechanism likely designed to keep unauthorized users out, is dynamic and can only be obtained by decoding a QR code displayed on the screen. Experts believe cybercrooks likely use a mobile app to decode the QR code and obtain the dynamic PIN.

Once both PINs are entered correctly, a message displayed on the screen instructs the user to press 1 to dispense money, 8 to delete the malware, 88 to perform a force delete, and 9 to pause. The removal process allows the attackers to ensure that little or no trace of the malware remains on the targeted ATM after it’s robbed.

Another interesting aspect about the sample analyzed by Checkpoint is that it’s designed to check the current year and month before running. If the year is not 2015 and the month is not prior to September, GreenDispenser stops running. Experts believe GreenDispenser was used in a limited operation and designed to deactivate itself to avoid being detected.

“ATM malware continues to evolve, with the addition of stealthier features and the ability to target ATM hardware from multiple vendors,” Proofpoint’s Thoufique Haq wrote in a blog post. “While current attacks have been limited to certain geographical regions such as Mexico, it is only a matter a time before these techniques are abused across the globe. We believe we are seeing the dawn of a new criminal industry targeting ATMs with only more to come.”

Another interesting ATM malware discovered recently by researchers is Suceful. The threat allows attackers to read data from a card’s magnetic stripe and chip, disable sensors and alarms, and retain and eject cards on command. This last feature allows fraudsters to physically steal cards.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.