Security Experts:

Skillful Hackers Drained ATMs Using Malware-laden USB Drives

ATM Malware Attack

PUNTA CANA - KASPERSKY LAB SECURITY ANALYST SUMMIT - A highly sophisticated gang of criminals inserted infected USB sticks into ATMs and emptied out all the cash inside, a security researcher told SecurityWeek.

The gang looted four ATMs belonging to a single bank using a USB stick containing a DLL exploit payload, Tillmann Werner, a researcher for CrowdStrike, told SecurityWeek in an interview. Werner declined to specify the targeted bank, the brand of the ATM that was compromised, or the country where the attack occurred. Law enforcement officials have thus far made only one arrest in this operation--the money mule who was caught while taking the money out of a compromised ATM.

Considering how much money is kept inside a single ATM, it's likely the gang has already stolen millions of dollars, and the gang is still in operation. It is also possible other banks may be targeted by this attack, Werner warned.

"The fact that such a sophisticated group is operating right now is the most important fact. Another thing that's interesting is banks in Germany potentially have the same issue, although we haven't seen an attack like that in Germany so far," Werner said.

Attackers physically took apart the ATM and inserted a USB stick containing a malicious DLL installer into the machine's printer port, Werner said. After the DLL file is injected into a process running on the ATM's operating System—Windows XP, no less—the machine automatically reboots using the code on the USB drive. The malware on the USB stick collects information about the system and logs all activity. The malware also removes all traces of itself, so it is difficult to find the transaction when the theft occurs. The victim bank was able to figure out how the attack worked by looking at surveillance video, Werner said.

"They crack the ATM open and plug in the USB drive. It's risky, but nevertheless, it works," Werner said.

USB Drive with Malware

A member of the gang—the money mule—then goes to the ATM and enters a 12-digit code to trigger the malware installed on the machine. After the mule answers a challenge question and enters the correct response code, the ATM begins to dispense all the cash and doesn't stop until its safe is empty. The entire transaction takes only a few minutes, Werner said. The transaction is frequently done at very early hours in the morning, when there are less people around to notice what is happening, he said.

This campaign is not related to last year's ATM Ploutus malware, which targeted customers while they were using the ATM. Ploutus is "child's play" compared with this operation, which is more advanced and targets the bank directly. Customer information and individual accounts are not compromised with this method.

"With this attack, you can empty a whole ATM and make a lot of money...It definitely takes a mafia-like organization to pull off such an attack," Werner said.

Considering that ATMs lack basic security features, it is difficult to "secure the PC," Werner said. The printer port should be blocked off, or disabled entirely so that it is not possible to stick a USB stick inside. Adding a boot password to the system will also make it much harder for an unauthorized individual to reboot and access the machine. Encrypting the hard drive will also prevent attackers from accessing the machine without a valid password. Of course, banks will have to make sure the boot password or hard drive passwords are strong, complex, and unique.

While Werner was not aware of similar attacks against U.S. banks, he warned that it could happen eventually. The attackers are using customized malware and are crafting the attack specifically for the bank and the brand of ATM machine being used. As far as he was aware, the victim bank has yet to share information about these attacks with other financial institutions, making it possible that multiple banks could already be affected.

"It has nothing to do with the banking system. They're going after the machine that spits out the money," he said.

Related ReadingNew Malware Found Infecting ATMs in Mexico

Related Reading: Exclusive - New Malware Targeting POS Systems, ATMs Hits US Banks

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.