ATMJackpot Malware Stealing Cash From ATMs

This new ATMJackpot malware originates from Hong Kong.

A new ATM malware has been identified by security researchers at Netskope Threat Research Labs. It has been dubbed as ATMJackpot (named after the technique called ATM jackpotting). Initial investigation revealed that the malware originated from Hong Kong while the time stamp binary is identified to be 28th March 2018.

Apparently, the malware is in its developmental phase yet because, in comparison to other, previously discovered malware, ATMJackpot has limited features. Such as its graphical UI is quite basic and only displays the hostname and information about the service providers (e.g. PIN pad, card reader and cash dispenser service providers).

According to Netskope’s blog post, it is yet unclear how ATMJackpot is deployed or used (physically or remotely) but its purpose is quite clear, which is to steal money from ATMs (automated teller machines).

ATM jackpotting is also called logical attack; it refers to using malware for controlling cash dispensing from an ATM. Usually, malware is delivered to an ATM remotely or through a USB port after compromising the operator network of the ATM.

Netskope didn’t reveal whether ATMJackpot’s deployment was the result of manual installation through USB on ATMs or was it downloaded from an infected network. If the former was the case then it wouldn’t have been difficult for the crooks because installing malware on an ATM physically isn’t difficult at all.

Jackpotting is designed to avoid physical break-in into the machine and can be inserted into the ATM through the USB port. Cybercriminals are quite familiar with the version of Windows used in a majority of ATMs so physically compromising the vault is not an issue for them at all.

The malware starts its malicious operation by registering the “Win” windows class name with a malware activity process and then populates the options available on the system to connect with the XFS manager. A common API is provided by the XFS subsystem to manipulate the machine. A session is then initiated by the malware for registering with the service provider so as to track events.

It also initiates a session with the card reader, PIN pad, and cash dispenser service providers. After tracking events, the malware issues commands and reads data from the PIN pad to dispense cash and eject cards. The malware download has been detected by Netskope as Gen: Variant.Razy.255528.

ATM jackpotting is becoming a serious and concerning issue for security experts. The issue was first noticed in Europe in 2014; soon after it spread to Asian regions. Europol warned in 2017 that attacks on ATMs involving jackpotting technique were on a rise, significantly increasing the scale and scope of the attacks against ATMs.

In January 2018, the US witnessed the first ever jackpotting attack against ATMs. A security alert was issued by the Secret Service and a worldwide operation against the members of the notorious Carbanak group, believed to be involved in attacks on ATMs and stealing over $1.24m, was launched.

The suspected leader of Carbanak group was arrested from Spain in March 2018. However, the latest attack is a clear proof that either the group is still pretty much active or there is another group that is targeting ATMs with such frequency.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.