This article is more than 1 year old

Ripper! Boffins find malware thought behind $347k Thai ATM raids

Evil EMV card pwns NCR ATMs, sets dispensary to max

Researchers at security firm FireEye may have found the malware responsible for plundering ATMs across Thailand and other parts of South East Asia.

The security boffins reckon the Ripper malware is "strongly" linked to the plundering last week of ATMs in Thailand in which 12 million Thai baht (US$346,992 ,£265,308, A$458,432) was stolen by a gang thought to herald from Eastern Europe.

Some 21 attacks were made against NCR ATMs between 9 July and 23 August, the Bangkok Post reports.

Police say some of the affected machines spewed around 40,000 baht a time.

The malware bears a July PE compile date tieing in with the August hack, while a sample of Ripper was submitted to the VirusTotal static antivirus analyser from a Thailand IP address.

"On 23 August FireEye detected a potentially new ATM malware sample that used some interesting techniques not seen before," senior malware researcher Daniel Regalado says

"This malware family can be used to compromise multiple vendor platforms and leverages uncommon technology to access physical devices.

"... indicators strongly suggest this piece of malware is the one used to steal from the ATMs at banks in Thailand."

Thieves insert a custom EMV card into ATMs which sets up the machines for infection and plundering. Regalado has revealed the malware's internal workings in a technical analysis.

It is unique in that it targets three ATM vendors around the world

The malware can disable local network interfaces, thoroughly wipe forensic evidence, and turn up the dispensary allowance to the maximum of 40 notes per withdrawal.

It is the latest in what appears to be an increase in the number of plundered ATMs across Asia and Japan. ®

More about


Send us news

Other stories you might like