'Self-deleting' Mexican ATM malware let sneaky miscreants slurp cash

Software nasty can be planted, operate and wipe itself all without detection

Security researchers have lifted the lid on a new ATM malware strain, dubbed GreenDispenser, which gives crooks the ability to walk up to a compromised machine and drain its cash.

When installed, GreenDispenser displays an “out of service” message on the ATM – but attackers who enter the correct pin codes can then drain the ATM’s cash before deleting the malware, leaving little trace of how the ATM was robbed.

Proofpoint has witnessed ongoing attacks based on the malware taking place in Mexico. It warns there's little to stop the same techniques from being abused in similar scams in other countries across the world.

The attack has striking similarities from the Ploutus malware scam that surfaced last year and was also linked to theft from ATMs in Mexico as well as another recent strain of ATM malware, dubbed Tyupkin.

Tyupkin first surfaced in Mexico but spread to part of Asia and Russia.

Kevin Epstein, vice president of Threat Operations for Proofpoint, told El Reg that GreenDispenser was a distinct, and in some ways more advanced, threat to predecessor such as Ploutus and Tyupkin.

GreenDispenser has the ability to target ATM hardware from multiple vendors using the XFS middleware standard, which is widely adopted by various ATM vendors.

Initial malware installation of GreenDispenser likely requires physical access to the ATM, raising questions of compromised physical security or corrupt insiders at banks. Once installed, GreenDispenser is similar in functionality to the Tyupkin (AKA Padpin) malware but does exhibit some unique functionality, such as date-limited operation and a form of two-factor authentication.

The malware strains Proofpoint inspected were coded to run only if the year was 2015 and the month was earlier than September, suggesting that GreenDispenser was employed in a limited operation and designed to deactivate itself to avoid detection. GreenDispenser bundles a batch script that uses sdelete to perform a deep delete to remove itself from an ATM.

Proofpoint suspects that cybercrook bosses have a mobile phone application that acts a form of "two-factor authentication" for cash mules involved in the scam. The functionality allows the gangmasters behind the scam to control who can cash out compromised machines, as explained in a blog post by Proofpoint here (extract below).

GreenDispenser employs authentication using a static hardcoded PIN, followed by a second layer of authentication using a dynamic PIN, which is unique for each run of the malware. The attacker derives this second PIN from a QR code displayed on the screen of the infected ATM. We suspect that the attacker has an application that can run on a mobile phone with functionality to scan the barcode and derive the second PIN – a two-factor authentication of sorts.

ATM malware strains such as GreenDispenser, Tyupkin and Ploutus each allow cybercriminals to attack financial institutions directly, without the extra steps required to capture credit and debit card information from consumers, potentially making attacks less traceable in the process. ®

Similar topics

Other stories you might like

  • Everything you wanted to know about modern network congestion control but were perhaps too afraid to ask

    In which a little unfairness can be quite beneficial

    Systems Approach It’s hard not to be amazed by the amount of active research on congestion control over the past 30-plus years. From theory to practice, and with more than its fair share of flame wars, the question of how to manage congestion in the network is a technical challenge that resists an optimal solution while offering countless options for incremental improvement.

    This seems like a good time to take stock of where we are, and ask ourselves what might happen next.

    Congestion control is fundamentally an issue of resource allocation — trying to meet the competing demands that applications have for resources (in a network, these are primarily link bandwidth and router buffers), which ultimately reduces to deciding when to say no and to whom. The best framing of the problem I know traces back to a paper [PDF] by Frank Kelly in 1997, when he characterized congestion control as “a distributed algorithm to share network resources among competing sources, where the goal is to choose source rate so as to maximize aggregate source utility subject to capacity constraints.”

    Continue reading
  • How business makes streaming faster and cheaper with CDN and HESP support

    Ensure a high video streaming transmission rate

    Paid Post Here is everything about how the HESP integration helps CDN and the streaming platform by G-Core Labs ensure a high video streaming transmission rate for e-sports and gaming, efficient scalability for e-learning and telemedicine and high quality and minimum latencies for online streams, media and TV broadcasters.

    HESP (High Efficiency Stream Protocol) is a brand new adaptive video streaming protocol. It allows delivery of content with latencies of up to 2 seconds without compromising video quality and broadcasting stability. Unlike comparable solutions, this protocol requires less bandwidth for streaming, which allows businesses to save a lot of money on delivery of content to a large audience.

    Since HESP is based on HTTP, it is suitable for video transmission over CDNs. G-Core Labs was among the world’s first companies to have embedded this protocol in its CDN. With 120 points of presence across 5 continents and over 6,000 peer-to-peer partners, this allows a service provider to deliver videos to millions of viewers, to any devices, anywhere in the world without compromising even 8K video quality. And all this comes at a minimum streaming cost.

    Continue reading
  • Cisco deprecates Microsoft management integrations for UCS servers

    Working on Azure integration – but not there yet

    Cisco has deprecated support for some third-party management integrations for its UCS servers, and emerged unable to play nice with Microsoft's most recent offerings.

    Late last week the server contender slipped out an end-of-life notice [PDF] for integrations with Microsoft System Center's Configuration Manager, Operations Manager, and Virtual Machine Manager. Support for plugins to VMware vCenter Orchestrator and vRealize Orchestrator have also been taken out behind an empty rack with a shotgun.

    The Register inquired about the deprecations, and has good news and bad news.

    Continue reading

Biting the hand that feeds IT © 1998–2021