Kaspersky Discovers New Malware Strain ATMii that Attacks Win7 and Win Vista ATMs.
The IT security researchers at Kaspersky Lab have discovered a new malware strain called ATMii because it attacks ATMs that run on Windows 7 and Windows Vista. This means the malware is ineffective on a majority of ATMs since most of them nowadays use Windows XP. It also hints at the fact that the operator of ATMii is intentionally attacking the ATMs of a certain network and the malware strain has been designed to steal from those machines only.
ATMii was discovered in April 2017 after one of the attacked banks shared a sample with the security researchers at Kaspersky Lab. The team explored ATMii and published the technical breakdown of its capabilities.
As per the analysis of Kaspersky’s senior developer Konstantin Zykov, this particular malware strain isn’t as powerful or dangerous as other ATM malware strains identified so far such as Rufus, GreenDispenser, Ploutus, SUCEFUL, Skimer, etc. The entire strain comprises of two files only called the exe.exe and dll.dll.
“The malware turned out to be fairly straightforward, consisting of only two modules: an injector module (exe.exe, 3fddbf20b41e335b6b1615536b8e1292) and the module to be injected (dll.dll, dc42ed8e1de55185c9240f33863a6aa4). To use this malware, criminals need direct access to the target ATM, either over the network or physically (e.g., over USB). ATMii, if it is successful, allows criminals to dispense all the cash from the ATM,” wrote Zykov in its blog post.
ATMii is installed on the ATMs through access to the network or a USB device. The attacker can copy these two files on the storage drive of ATM and execute the exe.exe file, which will start searching for the basic atmapp.exe process. When it is found, the exe.exe file injects dll.dll file. This file lets the attacker interact with the genuine atmapp.exe process and take control of the machine.
The injector is written in Visual C language while it is an unprotected command line application compiled with timestamp: Fri Nov 01 14:33:23 2013 UTC, explained Zykov. The compilation timestamp, as evident, is about four years old and it is quite unrealistic to believe that the malware remained unnoticed for such a long time. Therefore, it can be assumed that the attackers have used a fake timestamp.
Another interesting fact identified by Zykov is that the malware strain supports three commands to carry out its malicious operations. The Scan command scans the ATM’s cash cassettes to get the complete list of bills stored in the machine at the time of the attack. Through Disp command, attackers can dispense as much cash as they need and with Die command, attackers can instruct the malware to removes itself.