A newly discovered family of malware targeting ATMs (automated teller machines) has been designed with the sole purpose of emptying cash from the safes of the self-serve machines, Trend Micro security researchers warn.
Dubbed Alice, the malware is the most stripped down ATM threat seen to date. The malware has no information stealing capabilities and can’t even be controlled via the ATM’s numeric keypad. Initially discovered in November 2016, Alice is believed to have been around since 2014, and Trend Micro says that it is only the eighth ATM malware family seen to date, although such threats have been around for over nine years.
Use of the malware requires physical access to an ATM, and Trend Micro suggests that it has been designed for money mules to steal all the money available in an attacked cash machine, something that malware such as GreenDispenser was seen doing last year.
Unlike that piece of malware, however, the new threat doesn’t connect to the ATM’s PIN pad and can also be used via Remote Desktop Protocol (RDP), although Trend Micro says that there’s no evidence of such use as of now.
Malware analysis revealed that Alice (the name was included in the version information of the binary) was packed with a commercial, off-the-shelf packer/obfuscator called VMProtect, which prevents execution inside debuggers. Further, the malware checks its environment before execution and terminates itself if it determines it isn’t running on an ATM (it checks for a couple of registry keys and also requires specific DLLs to be installed on the system).
When running on a machine, Alice writes two files in the root directory, namely an empty 5 MB+ sized file called xfs_supp.sys and an error logfile called TRCERR.LOG. Next, it connects to the CurrencyDispenser1 peripheral, which is the dispenser device in the XFS environment and, if a correct PIN is provided, it displays information on the various cassettes with money loaded inside the machine.
Because the malware only connects to the CurrencyDispenser1 peripheral and doesn’t attempt to use the machine’s PIN pad, the researchers believe that the attackers physically open the ATM and infect it via USB or CD-ROM. Moreover, they suggest that the actors connect a keyboard to the machine’s mainboard and operate the malware through it.
The security researchers discovered that Alice supports three commands, each issued via specific PINs: one to drop a file for uninstallation, another to exit the program and run the uninstallation/cleanup routine, and a third to open the “operator panel.” This panel is where information on the cash available inside the ATM is displayed.