A new family of powerful ATM malware is being used in heists around the world, using known techniques, but also employing a card with a malicious EMV chip that allows the thief to control the malware on the machine.
The malware is known as Ripper and researchers have connected it to thefts at ATMs in a variety of countries, including a huge heist in Thailand earlier this summer. Ripper has a number of functions and capabilities, including the ability to count the number of bills in the machine, disable the network interface, and erase logs and other forensic evidence on the ATM. Researchers at FireEye, who have analyzed the malware, say some of the techniques have not been seen before, or are quite uncommon.
ATM malware comes in a number of different forms, and often is delivered to the machines through a USB drive or other portable media. Once on the machine, the malware’s main job is to dispense as much money to the thief as possible in a short period of time. Ripper accomplishes this in two ways, either as a standalone service or as a legitimate process on the ATM.
“Upon execution, RIPPER will kill the processes running in memory for the three targeted ATM Vendors via the native Windows ‘taskkill’ tool. RIPPER will examine the contents of directories associated with the targeted ATM vendors and will replace legitimate executables with itself. This technique allows the malware to maintain the legitimate program name to avoid suspicion,” Daniel Regalado of FireEye wrote in an analysis of the Ripper malware.
“RIPPER will maintain persistence by adding itself to the \Run\FwLoadPm registry key (that might already exist as part of the vendor installation), passing the “/autorun” parameter that is understood by the malware.”
In order to control the malware on an infected ATM, the thief has to insert a card with a malicious EMV chip into the machine. The Ripper malware will validate the card, and then will wait for instructions from the keypad on the machine. The thief has a variety of commands at his disposal, such as cleaning logs, hiding the malware’s GUI, and shutting down the network interface of the ATM, which prevents it from communicating with the remote bank.
One attack that’s been linked to Ripper is a series of thefts in Thailand that netted thieves about $350,000 earlier this month. That operation hit more than 20 ATMs.
“This malware family can be used to compromise multiple vendor platforms and leverages uncommon technology to access physical devices. In addition to requiring technical sophistication, attacks such as that affecting the ATMs in Thailand require coordination of both the virtual and the physical. This speaks to the formidable nature of the thieves,” Regalado said.