“ATM Malware Is Becoming Mainstream” – Newly Discovered Family Drains All Cash from ATMs

Rafia Shaikh
Posted Dec 21, 2016
13Shares
Share Tweet Submit

A new breed of ATM malware has been discovered that targets ATMs and enables attackers with physical access to empty cash from the self-serve machines.

Dubbed as Alice, Europol and Trend Micro first discovered this ATM malware family only last month. However, it has been around since 2014. While being around for nearly a decade, this is only the eighth ATM malware family seen to date, researchers said.

Alice ATM malware – “lightweight, compact, no-nonsense”

ATM malware families fall into two broad categories: those that collect payment card data, log it, and send it to criminals; and then a malware that allows attackers to send real-time commands to ATM with no information realing capabilities. Alice falls into the second group.ip

TrendLabs called it the “most stripped down ATM malware family,” the research team has ever encountered. Alice has no information stealing capabilities and cannot even be controlled via the numeric keypads of ATM. Attackers mainly use Alice by getting access to one of the ATM’s USB or CD-ROM slots to load the malware on the device. Later, they connect a keyboard to interact with the software. They could also “open a remote desktop and control the menu via the network,” however, in the case of Alice, researchers concluded that it was strictly used for in-person attacks only.

Once the malware is executed, attackers would enter a PIN using a keyboard to get access to CurrencyDispenser1, which displays the information on cassettes with money loaded in the machine. Researchers said that Alice only supports three commands that can be issued via specific PINs.

  1. To drop a file for uninstallation
  2. To open the “operator” panel, which has information on the cash available inside the machine
  3. And finally, to exit the program

Unlike other malware families that offer attackers full control over the target ATM, Alice only has one goal – to connect malware to the ATM’s cash dispenser module.

With over 432,000 ATMs installed worldwide, research shows an increasing interest in developing ATM malware. “Up until recently, ATM malware was a niche category in the malware universe, used by a handful of criminal gangs in a highly targeted manner,” Trend Micro said. “We are now at a point where ATM malware is becoming mainstream.”

Share Tweet Submit