ATM malware attacks are on the rise

In the past few months prevalence of hacking ATM has increased.

Some time ago 3 ATM’s have been attacked in India. It was found that the hackers used the Malware "GREENDISPENSER".


In this article we will look at methods of hacking ATM. Artur Garipov, Senior Research Specialist at Positive Technologies, helped us to understand how such hacks work and explained to us different methodologies .

For example, very famous virus is Tyupkin (PadPin), which steals card information.Sometimes attackers put fake ATMs, skimmers (devices that make "snapshot" dump of your credit cards) and so on. But that is a topic for another article.

In our opinion (EHN) ATM malware continues to evolve.  For example, new Malware GreenDispenser is new breed in ATM's hacking. It provides an attacker the ability to walk up to infected ATM and drain its cash vault.

When installed, GreenDispenser may display an "out of service" message on the ATM. But attackers can drain the ATM’s cash vault and erase GreenDispenser. Hackers don't leave information how the ATM was robbed.

GreenDispenser is similar in functionality to PadPin but has some unique functionality, such as date limited operation and form of two-factor authentication.

We believe that we are seeing the dawn of new criminal industry targeting ATMs!

Artur commented that there are 2 types of ATM's hacking: 1) remote access 2) physical access.

If physical access hackers can just steal ATM on truck, or they can hook ATM on car and so on. In this case, they stolen the whole thing in order to cut ATM in a safety place, to open ATM physically.


We must understand that ATM consists of 2 parts which is hidden by cover. The upperpart is called service area. There are the simple computer and devices for working: card acceptance, fiscal registrar, and so on. This is the brain that controls the ATM.

The lower part is the safe with money. It contains tapes with different denomination of the bill.  When you remove the currency and you hear the buzzing - this is dispenser prepare to give you the necessary bills of different value from the tapes.

There are more technology-based ways to hacking.  Everything is simple. You need only open service area. You can do it by lock pick or use a special service keys. And sometimes you need just push hard on the hatch metal cover of ATM.

Further, the dispenser must switched off from the computer and connected to its prepared computer which gives command to give all banknotes. And that's all that is needed. The attacker can leave the crime scene with all the cash.

Also there are cases when the attacker had access to the internal network of the Bank. And through it attacker infected the equipment of ATMs or remotely taken control over them. With the help of this software he was able to give the same command to the dispenser to give all cash.

Interview with the researcher Arthur Garipov on ATM Hacking:


What are the methods used by attackers to infect the ATM with
GreenDispenser? 

I can not give an exact answer to the question. It is necessary to look in detail code of a GreenDispenser.

Methods for infecting of the ATM may be different. It can be simply installation with a regular software and temporary disconnection of the ATM from the network, for the purpose of infection.

For a more detailed answer it is necessary to understand how the ATM interract with processing center.
And what is the system of control and administration of these devices.
Most often, these solutions are vendor-dependent and differ not only between banks, but also between ATMs.

a. Consider the interaction of ATM and processing center.
Most often, the interaction goes through the Internet provider, inside the tunnel (VPN).
It is very problematic to break down the tunnel, to make a fake processing center - is not easy too.
But very often there is an opportunity to turn off VPN, to be in the same network with an ATM, and then Conduct an attack on some ATM service that will lead to RCE (remote code execution).
On the other hand, attackers can attack the processing center itself, and make changes to the system of updates.
In some cases, the ATM system is updated remotely. Through the update server. Sometimes this is a local installation.

b. But most often the installation of malware occurs locally.


An attacker just opens the service area of the ATM. At its core inside it is a regular computer, with an attached ATM peripheral. Next, he can locally install the Trojan.

For such purposes, special guys are hired. Such announcements, with such tasks, can be found in darknet, or in specific forums.

The new version of Ploutus malware "Ploutus-D" targets ATMs using KAL’s Kalignite platform, what are the other latest and popular
platforms targeted by malware?
 I did not have to work with this system (Kalignite). Perhaps there is some specific here. Malware, in general, attacks the security of the operating system. And the platform and API system through which it works can be easily changed from one to another.


APIs for the ATM middleware is not well documented, How the attackers
were able to write malware that interacts with the middleware?
 I will not agree. Documentation on the Internet is at the moment is more than enough. Everything is easy to find in the main search engines. The key to knowing the keywords:
https://wenku.baidu.com/view/aa32823987c24028915fc3be.html
And for practice it's enough ATM.
Http://www.ebay.com/sch/i.html?_from=R40&_trksid=p2050601.m570.l1313.TR0.TRC0.H0.Xatm.TRS0&_nkw=atm

NDA’s do not protect.

How do you find presence of this malware in ATM machines?
Unfortunately, most often this is the result of the investigation of the incident.
But there are, of course, other approaches.

What are the other security measures needs to be taken in order to
prevent this malware attack?
This is a separate very large topic for discussion. But it is worthwhile to understand that, more often than not, hacking
ATM is "locally". It is for this purpose that a button is installed on the ATMs. Unfortunately, the attackers also know about it.

Do you think hackers and cyber criminals will weaponize ATM malware
like GreenDispenser with a worm like engine(as used by w32 blaster or
w32 funlove)? What happens to the world if w32 blaster carries Green
Dispenser in it?
Such systems should exist. The question is, it will be more difficult to detect.
And the purpose of such systems is a targeted attack. Specific bank, specific billing.
Category: / /

Share this with Your friends: