Security experts are warning of a new malware family designed to target and raid ATMs running the popular Microsoft XFS middleware.
Detected as BKDR_ALICE.A. the “Alice” malware is the leanest ATM threat of its type ever analyzed by Trend Micro, the firm’s senior threat researchers David Sancho and Numaan Huq claimed in a blog post.
Probably in the wild since at least October 2014, it first checks to see if the ATM is running an Extensions for Financial Services XFS environment before beginning.
Once the hacker enters a four-digit PIN based on the ATM’s terminal ID, it will bring up an operator panel displaying the various “cassettes” loaded with money inside the machine.
The attacker can then empty each cassette at will.
The four-digit code is apparently included to prevent individual groups of mules sharing the malware with each other and bypassing the rest of the cybercrime operation.
“Several things stand out about Alice. It is extremely feature-lean and, unlike other ATM malware families we have dissected, it only includes the basic functionality required to successfully empty the money safe of the ATM,” wrote Sancho and Huq.
“It only connects to the CurrencyDispenser1 peripheral and it never attempts to use the machine’s PIN pad. The logical conclusion is that the criminals behind Alice need to physically open the ATM and infect the machine via USB or CD-ROM, then connect a keyboard to the machine’s mainboard and operate the malware through it.”
Although Alice uses a commercial off-the-shelf packer to make analysis and reverse engineering more difficult, as ATM malware goes mainstream it is expected that the black hats will develop custom packers and other obfuscation techniques.
In related news, Positive Technologies is trumpeting research which led to the discovery of a zero day vulnerability in Intel Security’s Solidcore ATM product designed to protect Windows-based cash-points.
Hackers could have used the bug to successfully target banks using customized malware, according to the vendor.
“The core protection for ATMs has to be regular security audits, the creation of secure ATM configuration policies, combined with continuous monitoring for compliance with these requirements. Such monitoring would significantly increase ATM protection from attacks exploiting simple vulnerabilities - such as Kiosk mode bypass and the absence of BIOS passwords,” explained lead security evangelist, Alex Mathews.
“For real-time detection of targeted attacks, the recommendation is to use security information and event management systems (SIEM) to detect suspicious activities or event sequences – such as the connection of any devices to an ATM, an unexpected reboot, the repeated depression of keys, or the execution of unauthorized commands.”