Security Experts:

Connect with us

Hi, what are you looking for?



Skillful Hackers Drained ATMs Using Malware-laden USB Drives

ATM Malware Attack

PUNTA CANA – KASPERSKY LAB SECURITY ANALYST SUMMIT – A highly sophisticated gang of criminals inserted infected USB sticks into ATMs and emptied out all the cash inside, a security researcher told SecurityWeek.

ATM Malware Attack

PUNTA CANA – KASPERSKY LAB SECURITY ANALYST SUMMIT – A highly sophisticated gang of criminals inserted infected USB sticks into ATMs and emptied out all the cash inside, a security researcher told SecurityWeek.

The gang looted four ATMs belonging to a single bank using a USB stick containing a DLL exploit payload, Tillmann Werner, a researcher for CrowdStrike, told SecurityWeek in an interview. Werner declined to specify the targeted bank, the brand of the ATM that was compromised, or the country where the attack occurred. Law enforcement officials have thus far made only one arrest in this operation–the money mule who was caught while taking the money out of a compromised ATM.

Considering how much money is kept inside a single ATM, it’s likely the gang has already stolen millions of dollars, and the gang is still in operation. It is also possible other banks may be targeted by this attack, Werner warned.

“The fact that such a sophisticated group is operating right now is the most important fact. Another thing that’s interesting is banks in Germany potentially have the same issue, although we haven’t seen an attack like that in Germany so far,” Werner said.

Attackers physically took apart the ATM and inserted a USB stick containing a malicious DLL installer into the machine’s printer port, Werner said. After the DLL file is injected into a process running on the ATM’s operating System—Windows XP, no less—the machine automatically reboots using the code on the USB drive. The malware on the USB stick collects information about the system and logs all activity. The malware also removes all traces of itself, so it is difficult to find the transaction when the theft occurs. The victim bank was able to figure out how the attack worked by looking at surveillance video, Werner said.

“They crack the ATM open and plug in the USB drive. It’s risky, but nevertheless, it works,” Werner said.

USB Drive with Malware

A member of the gang—the money mule—then goes to the ATM and enters a 12-digit code to trigger the malware installed on the machine. After the mule answers a challenge question and enters the correct response code, the ATM begins to dispense all the cash and doesn’t stop until its safe is empty. The entire transaction takes only a few minutes, Werner said. The transaction is frequently done at very early hours in the morning, when there are less people around to notice what is happening, he said.

This campaign is not related to last year’s ATM Ploutus malware, which targeted customers while they were using the ATM. Ploutus is “child’s play” compared with this operation, which is more advanced and targets the bank directly. Customer information and individual accounts are not compromised with this method.

“With this attack, you can empty a whole ATM and make a lot of money…It definitely takes a mafia-like organization to pull off such an attack,” Werner said.

Considering that ATMs lack basic security features, it is difficult to “secure the PC,” Werner said. The printer port should be blocked off, or disabled entirely so that it is not possible to stick a USB stick inside. Adding a boot password to the system will also make it much harder for an unauthorized individual to reboot and access the machine. Encrypting the hard drive will also prevent attackers from accessing the machine without a valid password. Of course, banks will have to make sure the boot password or hard drive passwords are strong, complex, and unique.

While Werner was not aware of similar attacks against U.S. banks, he warned that it could happen eventually. The attackers are using customized malware and are crafting the attack specifically for the bank and the brand of ATM machine being used. As far as he was aware, the victim bank has yet to share information about these attacks with other financial institutions, making it possible that multiple banks could already be affected.

“It has nothing to do with the banking system. They’re going after the machine that spits out the money,” he said.

Related ReadingNew Malware Found Infecting ATMs in Mexico

Related Reading: Exclusive – New Malware Targeting POS Systems, ATMs Hits US Banks

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...