The image of an ATM spewing out cash is a bank’s worst nightmare, but Kaspersky Lab researchers have discovered new malware that does just that. It’s the latest in a long line of cash machine compromise tactics.
Known as ATMii. the malware consists of two parts - an injector module which targets ATM software and the module to be injected. The bad code uses legitimate proprietary libraries; cybercriminals can access the target ATM via the network or physically through USB ports to upload malicious files into the systems.
Travis Smith, principal security researcher at Tripwire, also noted that the ATMii malware is very targeted, not only because it only supports Windows 7, but also because it is targeted to a specific ATM executable (atmapp.exe).
"According to Kaspersky’s initial report, this is a proprietary application, so it’s unlikely this specific malware variant will have a large impact on the ATM market worldwide," he said via email. "Even with minimal impact, it’s quite easy to prevent the malware’s infection path by implementing foundational controls. Limiting network access and disabling USB ports will reduce the attack surface enough that this simple type of malware won’t make it onto an ATM.”
Kaspersky Lab said in a blog post that ATMii is yet another example of how criminals can use a small piece of code to dispense money to themselves. The ATMii malware sample was provided by a Kaspersky Lab partner from the financial industry in April 2017; it shares some similarities with the latest version of the Skimer malware, reported by Kaspersky Lab last year and is only the most recent ATM malware to make it into the wild.
“During our recent Incident Response cases related to the abuse of ATMs, we have identified Tyupkin, Carbanak and black box attacks,” the firm said. “The evolution of Backdoor.Win32.Skimer demonstrates the attacker interest in these malware families as ATMs are a very convenient cash-out mechanism for criminals. Kaspersky Lab has now identified 49 modifications of this malware, with 37 of these modifications targeting ATMs made by just one manufacturer.”
To protect against such attacks, Kaspersky Lab advises ATM operators to incorporate default-deny policies and device control, as well as technical measures to protect the ATM against physical access.
Of course, criminals can always just resort to blowing up the machines.