First ATM malware is back and badder than ever

Original gangster Skimer goes global

Cybercriminals have retrofitted a strain of ATM malware first discovered in 2009 to create an even more potent threat.

Skimer was the first malicious program to target ATMs*. Seven years later, Russian cybercriminals are reusing the malware – but both the crooks and the program have evolved, to pose an even more potent threat to banks and their customers around the globe.

Kaspersky Lab's expert team discovered traces of an improved version of a Skimer malware on one of the affected bank's ATMs. It was planted there and left inactivated until the cybercriminal sends it a control message. The technique offered criminals an effective mechanism for covering their tracks.

A Skimer attack starts by gaining access to the ATM system – either through physical access or via the bank's internal network. Then, after successfully installing Skimer into the system, it infects the core of an ATM. The malware screws with processes responsible for the machine's interactions with the banking infrastructure, cash processing and credit cards.

The criminals then have full control over the infected ATMs. But they proceed cautiously. Once an ATM is successfully infected with Skimer backdoor, criminals can withdraw all the funds in the ATM or grab the data from cards used by the machine: including the customers' bank account numbers and PIN codes. It sits surreptitiously gathering information, much like a sleeper agent, until it is activated.

Crooks use a special procedure to recover card data, as Kaspersky Lab experts explain:

In order to wake it up, criminals insert a particular card, which has certain records on the magnetic strip. After reading the records, Skimer can either execute the hardcoded command or request commands through a special menu activated by the card. The Skimer's graphic interface appears on the display only after the card is ejected and if the criminal inserts the right session key from the pin pad into a special form in less than 60 seconds.

With the help of this menu, the criminal can activate 21 different commands, such as dispensing money (40 bills from the specified cassette), collecting details of inserted cards, self-deleting, updating (from the updated malware code embedded on the card's chip), etc. Also, when collecting card details, Skimer can save the file with dumps and PINs on the chip of the same card, or it can print the card details it has collected onto the ATM's receipts.

Below is a video put together by Kaspersky Lab illustrating how money mules interact with an infected ATM.

Data from skimmed cards is used in order to create counterfeit copies of these cards later, a process made more difficult by innovations such as chip and PIN but still possible in many geographies.

Skimer was first distributed extensively between 2010 and 2013. Its appearance spurred the creation of other strains of ATM malware such as the Tyupkin family, discovered in March 2014, which became the most popular and widespread threat of its kind since. This year has seen the return with a vengeance of Skimer, the original gangster of the ATM malware world.

Kaspersky Lab has now identified 49 modifications of the Skimer malware, with 37 of these modifications targeting the ATMs of just one of the major manufacturers. The most recent version was discovered at the beginning of May 2016.

With the help of samples submitted to VirusTotal, a picture of a very wide geographical distribution of potentially infected ATMs emerges. The latest 20 samples of the Skimer family were uploaded from more than 10 locations around the globe: UAE, France, USA, Russia, Macao, China, Philippines, Spain, Germany, Georgia, Poland, Brazil and the Czech Republic. Samples were likely uploaded by either bank or third-party security response staff investigating suspected infections.

More details on the threat can be found in a blog post by Kaspersky Lab security researchers Olga Kochetova and Alexey Osipov that features code snippets and indicators of compromise related to the malware. ®

Similar topics

Other stories you might like

  • Want to buy your own piece of the Pi? No 'urgency' says Upton of the listing rumours

    A British success story... what happens next?

    Industry talk is continuing to circulate regarding a possible public listing of the UK makers of the diminutive Raspberry Pi computer.

    Over the weekend, The Telegraph reported that a spring listing could be in the offing, with a valuation of more than £370m.

    Pi boss, Eben Upton, described the newspaper's article as "interesting" in an email to The Register today, before repeating that "we're always looking at ways to fund the future growth of the business, but the $45m we raised in September has taken some of the urgency out of that."

    Continue reading
  • JetBrains embraces remote development with new IDE for multiple programming languages

    Security, collaboration, flexible working: Fleet does it all, says project lead

    JetBrains has introduced remote development for its range of IDEs as well as previewing a new IDE called Fleet, which will form the basis for fresh tools covering all major programming languages.

    JetBrains has a core IDE used for the IntelliJ IDEA Java tool as well other IDEs such as Android Studio, the official programming environment for Google Android, PyCharm for Python, Rider for C#, and so on. The IDEs run on the Java virtual machine (JVM) and are coded using Java and Kotlin, the latter being primarily a JVM language but with options for compiling to JavaScript or native code.

    Fleet is "both an IDE and a lightweight code editor," said the company in its product announcement, suggesting perhaps that it is feeling some pressure from the success of Microsoft's Visual Studio Code, which is an extensible code editor. Initial language support is for Java, Kotlin, Go, Python, Rust, and JavaScript, though other languages such as C# will follow. Again like VS Code, Fleet can run on a local machine or on a remote server. The new IDE uses technology developed for IntelliJ such as its code-processing engine for features such as code completion and refactoring.

    Continue reading
  • Nextcloud and cloud chums fire off competition complaint to the EU over Microsoft bundling OneDrive with Windows

    No, it isn't the limited levels of storage that have irked European businesses

    EU software and cloud businesses have joined Nextcloud in filing a complaint with the European Commission regarding Microsoft's alleged anti-competitive behaviour over the bundling of its OS with online services.

    The issue is OneDrive and Microsoft's habit of packaging it (and other services such as Teams) with Windows software.

    Nextcloud sells on-premises collaboration platforms that it claims combine "the convenience and ease of use of consumer-grade solutions like Dropbox and Google Drive with the security, privacy and control business needs." Microsoft's cloud storage system, OneDrive, is conspicuous by its absence.

    Continue reading

Biting the hand that feeds IT © 1998–2021