ATMii malware targets Windows 7 and Windows Vista ATMs

Security researchers have discovered a new ATM malware strain named ATMii that targets only ATMs running on Windows 7 and Windows Vista.

The malware's approach is very peculiar because most ATMs today use a stripped down version of Windows XP, which means ATMii won't run on most ATMs in use today.

This most likely means that ATMii's operator is intentionally targeting only the ATMs installed on a specific target's network, and has developed specific malware just for these thefts.

ATMii targeting Windows 7 and Windows Vista OSs

ATMii discovered in April 2017

ATMii came to light earlier this year when one of the affected banks shared a sample with Kaspersky Lab researchers, who today published a technical breakdown of the malware's capabilities.

According to Kaspersky senior developer Konstantin Zykov, the malware is not as sophisticated as similar ATM malware strains.

The entire ATMii malware is only two files: exe.exe and dll.dll. In order to install the ATMii on ATMs, a crook needs either network or USB access to the device.

If this is possible, the crook will copy these files on the ATM's storage drive and run exe.exe. This file looks for the standard atmapp.exe process and injects it with the malicious dll.dll file. This DLL allows the crook to interact with the legitimate atmapp.exe process and control the ATM.

Malware supports three commands, but it's all it needs

On infected ATMs, crooks can carry out three malicious operations. First, they can scan the ATM's cash cassettes for an exact list of bills the ATM contains at that point in time, they can make the ATM dispense a desired amount of cash, and they can order the malware to sabotage itself by deleting a local config file.

As in most cases of ATM malware, Zykov recommends that banks take the appropriate measures to limit network or physical access to an ATM's ports.

Besides ATMii, other notorious ATM malware strains that have been spotted in the past few years include ATMitch, GreenDispenser, Alice, Ploutus, RIPPER, Skimer, and SUCEFUL.

The Kaspersky ATMii report is available here.

Image credits: mohamed1982eg, Kaspersky Lab

Related Articles:

Hackers poison source code from largest Discord bot platform

TheMoon malware infects 6,000 ASUS routers in 72 hours for proxy service

Over 100 US and EU orgs targeted in StrelaStealer malware attacks

New AcidPour data wiper targets Linux x86 network devices

StopCrypt: Most widely distributed ransomware evolves to evade detection