Aug. 30, 2016
by Daniel Regalado, Threat Research, FireEye
On Aug. 23, FireEye detected a potentially new ATM malware sample that used some interesting techniques not seen before.
Adding more fuel to an existing fire, the sample was uploaded to VirusTotal from an IP address in Thailand a couple of minutes before the Bangkok Post reported the theft of 12 million baht ($346,816) from ATMs at banks in Thailand.
In this blog, FireEye Labs dissects this new ATM malware that we have dubbed Ripper (due to the project name "ATMRipper" identified in the sample), and documents indicators that strongly suggest this piece of malware is the one used to steal from the ATMs at banks in Thailand.
Connection to previous ATM malware
- targets the same ATM brand;
- technique used to expel currency follows the same strategy (already documented) performed by the Padpin (Tyupkin), Suceful and GreenDispenser;
- like Suceful, it is able to control the card reader device to read or eject the card on demand;
- can disable the local network interface, similar to capabilities of the Padpin family;
- uses the "sdelete" secure deletion tool, similar to GreenDispenser, to remove forensic evidence; and
- consistently enforces a limit of 40 bank notes per withdrawal, the maximum allowed by the ATM vendor.
New features, capabilities and behaviors in Ripper
- targets three of the main ATM vendors worldwide, which is a first; and
- interacts with the ATM via the insertion of a specially manufactured ATM card with an EMV chip that serves as the authentication mechanism. Although this technique has been used by the Skimmer family, it is an uncommon mechanism.
- MD5 — 15632224b7e5ca0ccb0a042daf2adc13
- Ripper persistence — can maintain persistence using either of two modes: as a standalone service; by masquerading as a legitimate ATM process.
Ripper is installed as a service if called with the following arguments:
- service install — before creating the service, it will kill the process dbackup.exe, which is specific to one common ATM vendor: cmd /c taskkill /IM dbackup.exe /T /F
It then replaces the original dbackup.exe binary under c:\Windows\system32\ (if present) with itself.
Finally it installs a persistent service with the following attributes:
Ripper can delete DBackup Service if run with the following argument:
Ripper can stop or start DBackup Service with the following arguments:
- service start
- service stop
Ripper also supports the following command line switches:
- /autorun — sleeps for 10 minutes and then runs in the background, waiting for interaction;
- /install — replaces the ATM software running on the ATM as follows:
- upon execution, Ripper kills the processes running in memory for the three targeted ATM vendors via the native Windows taskkill tool;
- Ripper examines the contents of directories associated with the targeted ATM vendors and replaces legitimate executables with itself. This allows the malware to maintain the legitimate program name to avoid suspicion; and
- Ripper maintains persistence by adding itself to the \Run\FwLoadPm registry key (that might already exist as part of the vendor installation), passing the /autorun parameter that is understood by the malware (figure 1).
- /uninstall — Ripper removes the registry keys created
Running without parameters
If Ripper is executed without parameters, it will perform the following actions:
- it will connect with the cash dispenser, card reader and the Pinpad. Since every ATM brand has its own unique device names, Ripper will identify the current devices installed by enumerating them under the following registry key: HKEY_USERS\.DEFAULT\XFS\LOGICAL_SERVICES\
- Ripper will make sure the devices are available by querying their status (figure 2) and, if they are not available, will exit;
- for the dispenser it will obtain information such as the cash unit details in order to determine the number and type of available notes;
- finally it starts two threads; the first of these monitors the status of the ATM devices (figure 3) to make sure they are available and will read all the keystrokes received from the Pinpad device waiting to interact with the thieves;
- the second thread monitors the card reader, and once a card is inserted it validates the EMV chip for authentication to the ATM Malware.
- once a valid card with a malicious EMV chip is detected, Ripper will instantiate a timer to allow a thief to control the machine (figure 4);
- once the thieves start interacting with Ripper, they enter instructions via the Pinpad and multiple options are displayed, including methods for dispensing currency (figure 5).
- CLEAN LOGS — clears the log stored at: C:\WINDOWS\temp\clnup.dat;
- HIDE — hides the malware GUI by calling ShowWindow() API;
- NETWORK DISABLE — shuts down the ATM local network interface to prevent it from communicating with the bank. It can reenable the connection if needed;
- REBOOT — calls ExitWindowsEX() API without sending WM_QUERYENDSESSION message to avoid prompts for confirmation, causing the system to reboot; and
- BACK — ejects the malicious ATM card back to the thieves by calling the WFSExecute() with the command WFS_CMD_IDC_EJECT_CARD. Use of this option (figure 6), was observed in the Suceful family.
Through open sources, we've identified a family of malware that may have been used in recent ATM robberies and which bears some similarities to known families of malware.
This malware family can be used to compromise multiple vendor platforms, and it leverages uncommon technology to access physical devices.
In addition to requiring technical sophistication, attacks such as that affecting the ATMs in Thailand require coordination of both the virtual and the physical. This speaks to the formidable nature of the thieves.
cover graphics istock
This article originally appeared on the FireEye blog at www.FireEye.com, and was reprinted with permission.