Kaspersky has detailed an interesting and naughty piece of malware that allowed attackers to steal cash directly from some ATM machines running an embedded Microsoft Windows OS.
The malware was active on at least 50 ATM machines in Eastern Europe, but there is some evidence that it has spread beyond the region to many other countries, including Canada, France, India and the United States. Kaspersky Lab’s Global Research and Analysis Team came to this conclusion based on statistics of submissions made to the popular VirusTotal service.
It is targeted at ATM machines made by a major manufacturer, running a 32-bit embedded Windows operating system, and it is smart enough to hide itself using several tactics.
What is interesting is Kaspersky cited security camera footage at locations of infected ATM machines that show a bootable CD was used to infect them. It transfers the malware to the device, performs some checks and then edits the registry to boot the malware, which then interacts with ATM through the standard library MSXFS.dll. which Kaspersky informs readers is “Extension for Financial Services (XFS).”
It then runs in an infinite loop waiting for user input, but it will only accept commands by default on Sunday and Monday nights. It accepts multiple commands from an operator, who then must press the Enter button the keypad to proceed. Another clever trick is clearly intended at making it so only the right people can manipulate the machine, by requiring that a session key be entered.
It uses a random seed for every session which is displayed on screen, and the operator needs to know the algorithm to generate a session key based on this random seed. If all goes right, the operator can now do some things you wish you could do at an ATM, like entering a cassette number and having the ATM dispense 40 banknotes from it.
Check out a video demonstration.