Carding
Professional
- Messages
- 2,871
- Reaction score
- 2,381
- Points
- 113
Kaspersky Lab has released a report on the investigation into the circumstances of the cyberattack aimed at ATMs. During the investigation, specialists from the Center for Global Research and Analysis of Kaspersky Lab found that the attack was based on a malicious program (Trojan) designated Backdoor.MSIL.Tyupkin.
Tyupkin's main function was to issue banknotes through direct manipulation of the banknote dispenser (dispenser).
The investigation has identified more than 50 infected ATMs in Eastern European banks, and the company does not disclose which banks and countries are involved. But the study contains a diagram with data from VirusTotal, a service that analyzes suspicious files using a variety of antiviruses. And, judging by this diagram, already 20 users from the territory of Russia sent Backdoor.MSIL.Tyupkin. Much less Tyupkin's samples were received from other countries. This allows us to conclude that Russian ATMs not only have not escaped the attention of the creators of the Trojan, but are also their main target. The “victims” were ATMs of the same company from the top three manufacturers, with the WindowsXP operating system on board, banki.ru writes.
The process of infection of the ATM was tracked using video cameras installed in the premises with the attacked ATMs. The criminals act head-on by simply opening the top of the ATM with a key, then inserting a malware CD into the optical drive of the ATM computer. Where do they get the keys is a special question. But it is known that the easiest way to get a copy of the key is to bribe the technical support engineer who maintains these ATMs. In addition, if the lock in the ATM has not changed since the purchase of the device from the manufacturer, the master key common to this model may be suitable for it.
Kaspersky Lab did not provide details of the infection method. Most likely, the cybercriminals restart the ATM computer, enter BIOS settings, enable boot from a CD, and boot from the Trojan disk. After rebooting, the operating system becomes infected with Tyupkin. In addition, the Trojan disables McAfee Solidcore's built-in security solution. After that, the criminals remove the disc, lock the ATM and leave the stage. Queue for drops - fundraisers.
The work of the drops was also "exposed" by cameras. The infected ATM works outwardly in the same way as before, but on Sundays and Mondays strictly from 01:00 to 05:00 it accepts additional commands that need to be entered from the machine's pinpad. During one of these periods, the drop visits the ATM and enters a command that displays the Trojan's main menu on the device screen. In addition to this command, as determined by Kaspersky Lab experts, you can enter a command to remove the Trojan itself and a command to extend the active period until 10:00. The company's specialists even filmed a video of how this happens.
Knowing the main commands of the Trojan is not enough to get rich. The creators of the malicious program made sure that their creation remained under their control. Upon entering the main menu, the Trojan asks for a one-time session key, which is given to the drop by its superior accomplices.
If the entered key turns out to be correct, the Trojan displays the contents of cassettes with banknotes and asks for the number of the cassette from which money should be extracted. After entering the number, the ATM dispenser receives a command to dispense 40 banknotes. If the code is incorrect, the malware disables the ATM's access to the network. Why he does this, experts have not yet figured out. Presumably, this should make it difficult to investigate the incident.
According to representatives of Kaspersky Lab, Tyupkin belongs to the next generation of threats that will soon replace the traditional carder business - skimming. Skimming has brought and still brings good money, but it has a number of problems that predict a decline in its popularity: a complex multi-stage enrichment scheme, relatively risky for its participants (this is also evidenced by the growing number of carder arrests), inapplicability for cards with EMV chips, and more and more sophisticated anti-skimming systems used by ATM manufacturers. Tyupkin works simpler, rougher and more profitable, attacking not cards, but the card infrastructure itself.
The first samples of the Trojan analyzed by Kaspersky Lab were compiled in March 2020. This indirectly indicates that cybercriminals have been milking ATMs almost unhindered for many months. The exact losses of banks are unknown and will never be known, it is only clear that we are talking about at least millions of dollars.
According to Vicente Diaz, leading antivirus expert at Kaspersky Lab, this is not the first Trojan of its kind: “We have already seen several similar samples, such as Ploutus. This type of Trojan is distinguished by the fact that if it is successfully infected, it provides criminals with immediate enrichment. "
Backdoor.Ploutus.B, a modular Trojan found in Mexican ATMs in late 2013, is also capable of dispensing cash. Its principal difference from Tyupkin is the receipt of commands via SMS messages using a mobile phone connected to the USB port of the ATM computer. The phone inevitably attracts the attention of engineers and thereby unmasks the infection in case the ATM needs some kind of maintenance that requires opening the top. Tyupkin is devoid of this drawback, since outwardly it does not manifest itself in any way until a special command is received.
“Attackers have learned to infect devices from only one manufacturer with their Trojan,” says Diaz. “Once they have succeeded in inventing a method of infecting a particular ATM machine, they can try the same thing with other ATMs of that model. The attack will be successful as long as the banks do not implement additional protective mechanisms."
Kaspersky Lab experts urged banks to review the physical protection of their ATMs and invest in security solutions, install alarms, and replace the top compartment locks. You can remove malware from an infected device using free antivirus tools.
Tyupkin's main function was to issue banknotes through direct manipulation of the banknote dispenser (dispenser).
The investigation has identified more than 50 infected ATMs in Eastern European banks, and the company does not disclose which banks and countries are involved. But the study contains a diagram with data from VirusTotal, a service that analyzes suspicious files using a variety of antiviruses. And, judging by this diagram, already 20 users from the territory of Russia sent Backdoor.MSIL.Tyupkin. Much less Tyupkin's samples were received from other countries. This allows us to conclude that Russian ATMs not only have not escaped the attention of the creators of the Trojan, but are also their main target. The “victims” were ATMs of the same company from the top three manufacturers, with the WindowsXP operating system on board, banki.ru writes.
The process of infection of the ATM was tracked using video cameras installed in the premises with the attacked ATMs. The criminals act head-on by simply opening the top of the ATM with a key, then inserting a malware CD into the optical drive of the ATM computer. Where do they get the keys is a special question. But it is known that the easiest way to get a copy of the key is to bribe the technical support engineer who maintains these ATMs. In addition, if the lock in the ATM has not changed since the purchase of the device from the manufacturer, the master key common to this model may be suitable for it.
Kaspersky Lab did not provide details of the infection method. Most likely, the cybercriminals restart the ATM computer, enter BIOS settings, enable boot from a CD, and boot from the Trojan disk. After rebooting, the operating system becomes infected with Tyupkin. In addition, the Trojan disables McAfee Solidcore's built-in security solution. After that, the criminals remove the disc, lock the ATM and leave the stage. Queue for drops - fundraisers.
The work of the drops was also "exposed" by cameras. The infected ATM works outwardly in the same way as before, but on Sundays and Mondays strictly from 01:00 to 05:00 it accepts additional commands that need to be entered from the machine's pinpad. During one of these periods, the drop visits the ATM and enters a command that displays the Trojan's main menu on the device screen. In addition to this command, as determined by Kaspersky Lab experts, you can enter a command to remove the Trojan itself and a command to extend the active period until 10:00. The company's specialists even filmed a video of how this happens.
Knowing the main commands of the Trojan is not enough to get rich. The creators of the malicious program made sure that their creation remained under their control. Upon entering the main menu, the Trojan asks for a one-time session key, which is given to the drop by its superior accomplices.
If the entered key turns out to be correct, the Trojan displays the contents of cassettes with banknotes and asks for the number of the cassette from which money should be extracted. After entering the number, the ATM dispenser receives a command to dispense 40 banknotes. If the code is incorrect, the malware disables the ATM's access to the network. Why he does this, experts have not yet figured out. Presumably, this should make it difficult to investigate the incident.
According to representatives of Kaspersky Lab, Tyupkin belongs to the next generation of threats that will soon replace the traditional carder business - skimming. Skimming has brought and still brings good money, but it has a number of problems that predict a decline in its popularity: a complex multi-stage enrichment scheme, relatively risky for its participants (this is also evidenced by the growing number of carder arrests), inapplicability for cards with EMV chips, and more and more sophisticated anti-skimming systems used by ATM manufacturers. Tyupkin works simpler, rougher and more profitable, attacking not cards, but the card infrastructure itself.
The first samples of the Trojan analyzed by Kaspersky Lab were compiled in March 2020. This indirectly indicates that cybercriminals have been milking ATMs almost unhindered for many months. The exact losses of banks are unknown and will never be known, it is only clear that we are talking about at least millions of dollars.
According to Vicente Diaz, leading antivirus expert at Kaspersky Lab, this is not the first Trojan of its kind: “We have already seen several similar samples, such as Ploutus. This type of Trojan is distinguished by the fact that if it is successfully infected, it provides criminals with immediate enrichment. "
Backdoor.Ploutus.B, a modular Trojan found in Mexican ATMs in late 2013, is also capable of dispensing cash. Its principal difference from Tyupkin is the receipt of commands via SMS messages using a mobile phone connected to the USB port of the ATM computer. The phone inevitably attracts the attention of engineers and thereby unmasks the infection in case the ATM needs some kind of maintenance that requires opening the top. Tyupkin is devoid of this drawback, since outwardly it does not manifest itself in any way until a special command is received.
“Attackers have learned to infect devices from only one manufacturer with their Trojan,” says Diaz. “Once they have succeeded in inventing a method of infecting a particular ATM machine, they can try the same thing with other ATMs of that model. The attack will be successful as long as the banks do not implement additional protective mechanisms."
Kaspersky Lab experts urged banks to review the physical protection of their ATMs and invest in security solutions, install alarms, and replace the top compartment locks. You can remove malware from an infected device using free antivirus tools.
