Search This Blog

Showing posts with label .skl files. Show all posts

Black Box: A New ATM Attack that Diebold Nixdorf Warns Off

A unique kind of ATM attack has come to surface called "Black Box." ATM developer Nixdorf warns the financial sector to stay on alert. The attack was widespread accross Europe recently. The Black Box ATM attacks are similar to Jackpotting, in which hackers make the ATMs dispense out cash in piles. Hackers use jackpotting to attach a malware in the ATM or use a black box instead. "Some of the successful attacks show a new adapted Modus Operandi on how the attack is performed.
"Although the fraudster is still connecting an external device, at this stage of our investigations, it appears that this device also contains parts of the software stack of the attacked ATM," says Diebold.

In the case of black-box attacks, the hacker tampers with the ATM's external casing and gets access to the port. The hacker can also put a hole in the machine to find internal wires and connectors. Once the hacker has access, he connects the black-box with the ATM through a laptop, building a connection with the internal systems. After this, the hacker then has control over the command options and uses it to dispense cash out of the ATM.

These kinds of jackpotting attacks on ATMs have happened for a decade. The jackpotting attacks have been quite famous among gangs, as the method is very cost-effective and profitable. Jackpotting attacks are more straightforward compared to cloning cards, ATM skimming, and laundering money, which consumes quite a lot of time. Another reason for the popularity of black-box attacks is that the noob hackers (amateur) don't have to spend a lot of money to get a black box. One can purchase a device and launch an ATM attack without having to spare a lot of time.

"In recent incidents, attackers focus on outdoor systems and are destroying parts of the fascia to gain physical access to the head compartment. Next, the USB cable between the CMD-V4 dispenser and the special electronics, or the cable between special electronics and the ATM PC, was unplugged. This cable is connected to the black box of the attacker to send illegitimate dispense commands," says Diebold on his website.

Hackers abusing .slk files to attack Microsoft 365 users

Avanan’s Security Analysts have recently discovered a threat bypassing Microsoft 365 security, the attack uses .slk files to avoid detection.

The attack groups send emails containing .slk file as an attachment with macro (MSI exec script) to download and install the trojan. Although this attack is limited to Microsoft 365, bypassing both of its default security (EOP) and advanced security (ATP), it does put around 200 million-plus users in jeopardy.

 By far Gmail users are safe from this threat as Google blocks .slk files and does not allow to be sent as an attachment.

The attack

“Symbolic Link” (SLK) file is an older human-readable text-based spreadsheet format last updated in 1986. Back when XLS files were private, .slk were open-format alternative for XLS but then XLSX was introduced in 2007 and there was no longer the need of .slk. Now, to the user, these .slk files look similar to an Excellent document and let the attacker move through Microsoft 365 security.

This latest discovery by Avanan’s Security Analysts reveals that these files when installed run a command on the Windows machine. It drives Windows Installer to install any MSI package quietly. This particular attack installs a hacked version of the off-the-shelf NetSupport remote control application giving the attacker full control of the desktop.

Where did the mails come from? 

The majority of the malicious emails were sent from a disposable email address like, “”.

These mails were sent from Hotmail and for a good reason, "While most of the well-known anonymous email sending engines deserve their poor spam and phishing reputations, Hotmail users benefit from Microsoft’s own reputation. Since the service was merged with its own Outlook application, Microsoft seems to grant them a higher level of trust than external senders", reports

 The peculiar thing about these emails is that they are manually created and targeted personally. No two mails are alike, each one with a different subject and body especially crafted for the receiver with the subject and matter that concerns them.

How to prevent the attack?

The best method to avoid this attack is to simply configure your Office 365 to reject files with .slk extension at least till Microsoft fixes the issue.