The RIPPER malware linked to the recent ATM attacks in Thailand

Experts from FireEye  who analyzed the RIPPER malware believe it was used by crooks in the recent wave of cyber attacks against ATM in Thailand.

Earlier this month a malware was used by a criminal organization to steal 12 million baht from ATMs in Thailand.

According to FireEye, the malware was uploaded for the first time to the online scanning service VirusTotal on Aug. 23, 2016. The malicious code was uploaded from an IP address in Thailand a few minutes the cyber heist was reported by media.

Experts from FireEye who analyzed the malware, dubbed RIPPER because researchers found the “ATMRIPPER” name in the sample, revealed that it implemented techniques not seen before.

Hackers belonging to a cybercrime gang from Eastern Europe have stolen over 12 Million Baht (approximately US$346,000) from a 21 ATMs in Thailand.

The Central Bank of Thailand (BoT) has issued a warning to all the banks operating in the country about security vulnerabilities that plague roughly 10,000 ATMs. It seems that hackers exploited such flaws to steal cash from the ATMs. The same gang was involved in similar attacks against top eight banks in Taiwan. In Taiwan, the thieves have stolen NT$70 Million ($2.2 Million) in cash forcing the banks to shut down hundreds of their cash machines.

The warning issued by the Central Bank of Thailand follows the decision of the Government Savings Bank (GSB) to shut down roughly 3,000 ATMs of its 7,000 machines in response to a recent wave of attacks that targeted its machines.

According to FireEye, the RIPPER malware borrows multiple features from other ATM malware:

• Targets the same ATM brand.
• The technique used to expel currency follows the same strategy (already documented) performed by the Padpin (Tyupkin),SUCEFUL and GreenDispenser.
• Similar to SUCEFUL, it is able to control the Card Reader device to Read or Eject the card on demand.
• Can disable the local network interface, similar to capabilities of the Padpin family.
• Uses the “sdelete” secure deletion tool, similar to GreenDispenser, to remove forensic evidence.
• Enforces a limit of 40 bank notes per withdrawal consistently, which is the maximum allowed by the ATM vendor.

The RIPPER malware also implements new features, for example, it was designed to target three of the main ATM Vendors worldwide, which is a first.

The RIPPER malware interacts with the ATM by inserting a specially manufactured ATM card with an EMV chip, with this mechanism crooks authenticate themselves to the cash machine. This mechanism is uncommon, the Skimmer use this method too.

In order to gain persistence, the RIPPER malware uses either a standalone service or masquerade itself as a legitimate ATM process.

When the RIPPER is installed as a service, it first killk the process “dbackup.exe”, then replaces it with its binary, then it installs the persistent service “DBackup Service.”

“RIPPER can stop or start the “DBackup Service” with the following arguments:

“service start” or “service stop”

RIPPER also supports the following command line switches:

/autorun: Will Sleep for 10 minutes and then run in the background, waiting for interaction.

/install: RIPPER will replace the ATM software running on the ATM as follows:

Upon execution, RIPPER will kill the processes running in memory for the three targeted ATM Vendors via the native Windows “taskkill” tool.

RIPPER will examine the contents of directories associated with the targeted ATM vendors and will replace legitimate executables with itself. This technique allows the malware to maintain the legitimate program name to avoid suspicion.” continues FireEye.

When RIPPER malware is executed without any parameters, it performs a series of actions, such as connecting with the local peripherals (i.e. Cash Dispenser, Card Reader, and the Pinpad).

Then the threat detects a card with a malicious EMV chip it starts a timer to allow a crook  to control the ATM via the Pinpad.

The crooks can perform multiple malicious actions, including clear logs and shut down the ATM local network interface.

Back to the Thailand attacks, below are reported similarities between the RIPPER malware and the malicious code used by the gang.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –banking, RIPPER malware)