Security researchers have discovered a new ATM malware strain named ATMii that targets only ATMs running on Windows 7 and Windows Vista.
The malware's approach is very peculiar because most ATMs today use a stripped down version of Windows XP, which means ATMii won't run on most ATMs in use today.
This most likely means that ATMii's operator is intentionally targeting only the ATMs installed on a specific target's network, and has developed specific malware just for these thefts.
ATMii discovered in April 2017
ATMii came to light earlier this year when one of the affected banks shared a sample with Kaspersky Lab researchers, who today published a technical breakdown of the malware's capabilities.
According to Kaspersky senior developer Konstantin Zykov, the malware is not as sophisticated as similar ATM malware strains.
The entire ATMii malware is only two files: exe.exe and dll.dll. In order to install the ATMii on ATMs, a crook needs either network or USB access to the device.
If this is possible, the crook will copy these files on the ATM's storage drive and run exe.exe. This file looks for the standard atmapp.exe process and injects it with the malicious dll.dll file. This DLL allows the crook to interact with the legitimate atmapp.exe process and control the ATM.
Malware supports three commands, but it's all it needs
On infected ATMs, crooks can carry out three malicious operations. First, they can scan the ATM's cash cassettes for an exact list of bills the ATM contains at that point in time, they can make the ATM dispense a desired amount of cash, and they can order the malware to sabotage itself by deleting a local config file.
As in most cases of ATM malware, Zykov recommends that banks take the appropriate measures to limit network or physical access to an ATM's ports.
Besides ATMii, other notorious ATM malware strains that have been spotted in the past few years include ATMitch, GreenDispenser, Alice, Ploutus, RIPPER, Skimer, and SUCEFUL.
The Kaspersky ATMii report is available here.
Image credits: mohamed1982eg, Kaspersky Lab
Comments
Occasional - 6 years ago
Easy to understand why ATMs are tempting targets (not even a need to cash in your cryptocurrency). Didn't see any mention of number of successful exploits, or amounts taken.
As someone has to go to a location (and insert a valid card?), to collect the cash; there would seem to be considerable and immediate risks (immediate if the compromised ATM is discovered and staked out. Risk of later arrest if video surveillance at or near the ATM provides identification). Am I wrong, or does any ATM robbery in the US bring in the FBI, and federal charges?
SuperSapien64 - 6 years ago
Every time I hear about ATMs being hacked, It makes me wonder if these ATMs were using a Nix based OS would it be as easy to hack them?