Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 931
- Points
- 113
This year, at the request of a financial institution, Kaspersky Lab's Global Research Center conducted a forensic investigation into a cybercriminal attack targeting ATMs in Eastern Europe.
During our investigation, we discovered a malicious program that allows attackers to empty the cassettes in which cash is stored in ATMs by directly manipulating the ATM.
At the time of the investigation, this malware was active on more than 50 ATMs belonging to Eastern European banks. Having studied the data on objects sent for scanning to VirusTotal, we came to the conclusion that the malware, while spreading, also reached some countries from other regions, including the USA, India and China.
Due to the specific nature of the devices for which this malware is intended, we do not have data from KSN that would allow us to estimate the scale of the infection. However, judging by the statistics collected by VirusTotal, malicious samples were sent from the following countries.
This new malware, detected by Kaspersky Lab products as Backdoor.MSIL.Tyupkin, targets ATMs manufactured by one of the largest manufacturers of such devices running a 32-bit version of Microsoft Windows.
To avoid detection, the malware uses several clever tricks. First of all, it is only active at certain times during the night. In addition, each session uses a key generated from a randomly selected number. Without this key, interaction with an infected ATM is impossible.
When the correct key is entered, the malware displays information on the amount of money available in each cassette and allows an attacker with physical access to the ATM to obtain 40 bills from the cassette of his choice.
Most of the samples we analyzed were compiled around March 2014. However, the authors of the malware did not stand still. In its latest version (version .d), malicious code is protected from analysis carried out using debuggers and emulators; In addition, this version disables McAfee Solidcore protection on the infected system.
During the attack, the criminals copied the following files to the ATM:
C:\Windows\system32\ulssm.exe
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\AptraDebug.lnk
After certain environmental checks, the malware deletes the file with the .lnk extension and creates the following key in the system registry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
«AptraDebug» = «C:\Windows\system32\ulssm.exe»
Next, the malicious program interacts with the ATM using the standard MSXFS.dll library - an extension for financial services (Extension for Financial Services - XFS).
The malware starts an infinite loop waiting for user input. To make detection more difficult, Tyupkin only accepts commands (by default) on Sunday and Monday nights.
The following commands are valid:
In addition, Tyupkin uses session keys to prevent interaction with random users. After entering the “Show main window” command, the malware displays the message “ENTER SESSION KEY TO PROCEED!” (enter your session key to continue). In this case, for each session, the key is generated from a randomly selected number.
The operator of the malware must know an algorithm that allows them to generate a session key from the number shown on the screen. Interaction with an infected ATM is possible only after successfully entering this key.
The malware then displays the following message:
CASH OPERATION PERMITTED.
TO START DISPENSE OPERATION -
ENTER CASSETTE NUMBER AND PRESS ENTER.
(Translation: Cash transaction is allowed.
To start a cash dispensing operation,
enter the cassette number and press Enter)
After the operator selects the cassette number, the ATM dispenses 40 bills from it.
If an incorrect session key is entered, the malware disables the local network and displays the following message:
DISABLING LOCAL AREA NETWORK...
PLEASE WAIT...
(Translation: Disabling the local area network...
Please wait...)
It is not entirely clear why the malware disables the local network. This is likely done to delay or complicate remote investigation of the incident.
Video demonstrating the functioning of the malicious program on a real working ATM:
It is now well known that cybercriminals are able to use skimmers to secretly read credit and debit cards when customers insert them into ATMs located in bank branches or gas stations. Thanks to this, many bank customers have realized that they need to be alert and take necessary precautions when using ATMs.
We are now seeing the natural progression of this threat. Cybercriminals move up the chain and attack financial institutions themselves - by directly infecting ATMs or launching APT-like attacks (Advanced Persistent Threat) directly against banks. The Tyupkin malware is just one example of how attackers are moving to a higher level and finding weaknesses in ATM infrastructure.
The fact that many ATMs run operating systems with known vulnerabilities and without specialized security solutions is another problem that needs to be addressed as soon as possible.
We recommend that banks review the physical security measures in place for their ATMs and consider investing in quality cyber security solutions.
During our investigation, we discovered a malicious program that allows attackers to empty the cassettes in which cash is stored in ATMs by directly manipulating the ATM.
At the time of the investigation, this malware was active on more than 50 ATMs belonging to Eastern European banks. Having studied the data on objects sent for scanning to VirusTotal, we came to the conclusion that the malware, while spreading, also reached some countries from other regions, including the USA, India and China.
Due to the specific nature of the devices for which this malware is intended, we do not have data from KSN that would allow us to estimate the scale of the infection. However, judging by the statistics collected by VirusTotal, malicious samples were sent from the following countries.
This new malware, detected by Kaspersky Lab products as Backdoor.MSIL.Tyupkin, targets ATMs manufactured by one of the largest manufacturers of such devices running a 32-bit version of Microsoft Windows.
To avoid detection, the malware uses several clever tricks. First of all, it is only active at certain times during the night. In addition, each session uses a key generated from a randomly selected number. Without this key, interaction with an infected ATM is impossible.
When the correct key is entered, the malware displays information on the amount of money available in each cassette and allows an attacker with physical access to the ATM to obtain 40 bills from the cassette of his choice.
Most of the samples we analyzed were compiled around March 2014. However, the authors of the malware did not stand still. In its latest version (version .d), malicious code is protected from analysis carried out using debuggers and emulators; In addition, this version disables McAfee Solidcore protection on the infected system.
Analysis
According to video footage from surveillance cameras installed at the locations of infected ATMs, the attackers were able to manipulate ATMs by installing malicious code from a boot CD.During the attack, the criminals copied the following files to the ATM:
C:\Windows\system32\ulssm.exe
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\AptraDebug.lnk
After certain environmental checks, the malware deletes the file with the .lnk extension and creates the following key in the system registry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
«AptraDebug» = «C:\Windows\system32\ulssm.exe»
Next, the malicious program interacts with the ATM using the standard MSXFS.dll library - an extension for financial services (Extension for Financial Services - XFS).
The malware starts an infinite loop waiting for user input. To make detection more difficult, Tyupkin only accepts commands (by default) on Sunday and Monday nights.
The following commands are valid:
- XXXXXX – show the main window.
- XXXXXX – remove malware from the device using a batch file.
- XXXXXX – extend the period of activity of the malicious program.
- XXXXXX – hide the main window.
In addition, Tyupkin uses session keys to prevent interaction with random users. After entering the “Show main window” command, the malware displays the message “ENTER SESSION KEY TO PROCEED!” (enter your session key to continue). In this case, for each session, the key is generated from a randomly selected number.
The operator of the malware must know an algorithm that allows them to generate a session key from the number shown on the screen. Interaction with an infected ATM is possible only after successfully entering this key.
The malware then displays the following message:
CASH OPERATION PERMITTED.
TO START DISPENSE OPERATION -
ENTER CASSETTE NUMBER AND PRESS ENTER.
(Translation: Cash transaction is allowed.
To start a cash dispensing operation,
enter the cassette number and press Enter)
After the operator selects the cassette number, the ATM dispenses 40 bills from it.
If an incorrect session key is entered, the malware disables the local network and displays the following message:
DISABLING LOCAL AREA NETWORK...
PLEASE WAIT...
(Translation: Disabling the local area network...
Please wait...)
It is not entirely clear why the malware disables the local network. This is likely done to delay or complicate remote investigation of the incident.
Video demonstrating the functioning of the malicious program on a real working ATM:
Conclusion
Over the past few years, we have seen a serious increase in the number of attacks on ATMs using skimmers and malware. Following high-profile reports of financial data being stolen around the world through ATMs using skimmers, law enforcement agencies around the world have taken serious action, resulting in the arrest and prosecution of cybercriminals.It is now well known that cybercriminals are able to use skimmers to secretly read credit and debit cards when customers insert them into ATMs located in bank branches or gas stations. Thanks to this, many bank customers have realized that they need to be alert and take necessary precautions when using ATMs.
We are now seeing the natural progression of this threat. Cybercriminals move up the chain and attack financial institutions themselves - by directly infecting ATMs or launching APT-like attacks (Advanced Persistent Threat) directly against banks. The Tyupkin malware is just one example of how attackers are moving to a higher level and finding weaknesses in ATM infrastructure.
The fact that many ATMs run operating systems with known vulnerabilities and without specialized security solutions is another problem that needs to be addressed as soon as possible.
We recommend that banks review the physical security measures in place for their ATMs and consider investing in quality cyber security solutions.
Recommendations for minimizing risk
We recommend that financial institutions and ATM service companies consider taking the following measures to minimize risk:- Review physical security measures for your ATMs and invest in high-quality security solutions.
- Replace the top compartment locks and corresponding keys on all ATMs. Avoid using master keys obtained from the manufacturer.
- Install security alarms on ATMs and ensure they operate effectively. There is evidence that the cybercriminals behind Tyupkin only infected ATMs that did not have security alarms.
- You can request guidance on a one-step check to see if your ATMs are infected by emailing intelreports@kaspersky.com. To perform a full scan of the ATM file system and remove the backdoor, use the free Kaspersky Virus Removal Tool.
General recommendations for operators of ATMs installed in public places
- The ATM should be located in an open, well-lit area that can be viewed by easily visible CCTV cameras. The ATM should be securely secured to the floor using an anti-lasso device to help deter criminals.
- Regularly check ATMs for signs of third-party devices (skimmers).
- Beware of social engineering attacks where criminals pose as technicians inspecting alarm systems, CCTV cameras or other devices installed in ATM locations.
- Treat any alarm that goes off seriously and take appropriate action - be sure to report any possible security violations to law enforcement.
- Consider putting enough money into the ATM for just one day's use.
