The South America connection and the leadership on ATM Malware development

Pierluigi Paganini March 12, 2018

Besides being known about corruption scandals, South America is a reference to the development of ATM malware spreading globally with Brazil, Colombia, and Mexico leading the way.

A research conducted by KASPERSKY has revealed a convergence on attacks against financial institutions, where traditional crimes and cybercrime join forces together to target and attack ATM (Automated Teller Machine) machines.

Around the globe, the region where criminals had achieved expertise and have become highly professionals is Latin America. As a resulting of this criminal union to steal money directly from ATM, criminals and cybercriminals from Latin America have been developing brand new zero-day techniques and tools that are not found in any other place in the world.

These tools and techniques that were developed are imported from Eastern Europe and customized, to pave the way to other criminals and create a network of malware on a global scale.

The research points to a combination of factors behind the development of ATM malware like obsolete operating systems and a availability of development platforms to create the malicious codes such as .NET framework.

The report points out the motivation being a key factor to criminals, but we can consider also as a key factor the corruption that is widespread in every level of Latin America society. The prevalence of corruption can be considered as a fuel to criminal motivation once piracy and corporate data are sold in every corner of Latin America countries. Also, it is important to notice the role of insider informants in organizations, where employees give precise details and reveal the security measures in place to be bypassed by criminals.

Among the myriad of techniques employed to rob banks, the criminals still use explosives on a regular basis, due to its effectiveness and cost benefit. Security measures like cameras and CCTV, for example, are easily bypassed in a raid that takes just a few minutes. The collateral damage caused by the use of explosives goes beyond the ATM machines of the bank agencies in which they are located also reaching out public squares, shopping malls and buildings nearby the banks.

Brazilian banks in an attempt to stop ATM attacks have adopted ink cartridges to stain the ballot and make them useless when the ATM is blown up. However, the organized crime developed a special solvent to remove the ink. Other attack vectors exploited by criminals in Latin America is the use of obsolete unpatched software, like Windows XP or Windows 2000 in production environments. ATM machines were also found with cables and network devices exposed to no implementation of physical security measures in place.

Brazilian criminals do not restrict themselves to this approach developing other ways to compromise banking security. Fake replicas to cover the front of ATM machines and steal card data and PIN numbers are also used. In many cases, these fake machines are installed in daylight in retail business and supermarkets. The components to assembly such replicas are sold in the black markets and on online stores easily.

Another common type of ATM machine fraud in Brazil is the “Chupa Cabra”, where criminals install skimmer devices that get all data from the credit card once they are inserted on ATM machines.

Once these methods involve exposure, and criminals can be recognized by cameras and CCTV devices alike they have also started to use malware to attack banking systems.

The report describes four stages used by criminals to steal money from ATM machines, that are: Local/remote access to the machine, installation of malicious code in ATM system, reboot of the target device and withdraw of the money. Aiming to evade security from ATM machines criminals from Latin America have developed different malware to steals money, both intercepting data from keypads running Windows machines (Chupa Cabra malware) and by remote access. To withdraw money with malware criminals can program a specific key combination of PIN pad, insert a “special card” or send a remote command to a machine infected in the bank network.

The report has found out that there is a cooperation between Eastern European and Latin American criminals. In 2017, a coordinated Police operation took place where 31 criminals were arrested for credit card cloning in Cuba, Ecuador, Venezuela, Romania, Bulgaria, and Mexico. This major operation highlights the criminal network working together globally. This union backs to 2008 when the first malicious program to infect ATM machines was developed (Backdoor.Win32.Skimer) aiming to target Russia and Ukraine. In 2014, the researchers discovered the Tyupkin malware affecting ATM machines in several Eastern Europe institutions.


There was collected enough evidence that a collaboration between criminals has taken place with the involvement of Latin American criminals involved in the development of ZeuS, SpyEye and other banking malware created in Eastern Europe. This criminal cooperation has resulted in coding quality and sophistication of Latin American malware and sharing of infrastructure for deployment. Also, it was found out that Latin American criminals access Russian underground forums on a constant basis looking for samples, to buy new malware or even exchange data about ATM/PoS malware. It is believed that this criminal exchange started back in 2008.

As we dive into the development of ATM malware in Latin America we can highlight specific examples in Mexico, Colombia, and Brazil. In Mexico, on October 2013, was spotted the Ploutus malware. According to Greek mythology, Ploutus represents the abundance and wealth. At a first moment, the malware was difficult to identify being detected as Backdoor.Ploutus by Symantec or by Trojan-Banker by Kaspersky. The damage caused by this malware surpassed $64 million only in Mexico and has compromised 73.258 ATMs. In a nationwide operation deflagrated during 2014 and 2015, related to robberies using malware, it was uncovered a criminal network acting on 450 ATMs from 4 major Mexican banks.

The machines were located in places that had no surveillance or limited physical security, and the malware was deployed both using CD-ROM drive or by USB port. The attack caught the attention of banks security departments because the transportation company started to receive phone calls and alerts regarding uncommon high amounts of money being withdrawn hours later being filled. Other attacks took place on dates where the ATMs was stocked with more money to supply customer demands, like the Mexican Black Friday and on Valentine’s day. In this scenario, the cybercriminals obtain licenses that are valid for one day to withdraw money from any number of machines. It takes, according to the report, from two and a half to three hours to entirely empty an ATM machine. The cybercriminals gangs are composed of at least 3 individuals, while the campaigns can have up to 300 people involved. Each group compromise a chosen ATM obtaining its data to further request an activation code and have full access to the ATM service.

As discovered by the researchers there are at least four different versions of the malware, and the last one dating back to 2017 has bugs fixes and code improvements. On its first version, there was no reporting on the activities on the ATM and the command and control server. Also, an SMS module used to obtain a unique identifier for the machine was found, that enabled the activation of malicious code remotely for criminals on the machine to withdraw money. The procedure with 5 stages is the following: Compromise of the ATM via physical access, installation of the malware as a Microsoft Windows Service, acquisition of ATM ID, activation of ATM remotely or physically and withdraw while the malware is active for 24 hours.

The latest versions of the malware, named Backdoor.MSIL.Ploutus, Trojan-Spy.Win32.Plotus and HEUR: Trojan.Win32.Generic by researchers, have the capability of full remote administration of infected ATMs and diagnostic tools. The cybercriminals switched their methods and instead of using physical keyboards they now use WiFi access with a modified TeamViewer Remote management module to reduce risks.

As we advance analyzing the developments in Latin America of ATM malware, we have to notice a sum of factors involving corruption, insider threats and legit software in Colombia. According to the report, in October 2014, 14 ATMs were compromised in different cities of Colombia leading to a loss of 1 million Pesos without any trackable transaction. An employee of one bank was arrested being suspected of installing remotely malware in ATMs using privileged information before quitting his job. The suspected had worked for the Colombian police for 8 years as an electronic engineer and police investigator. In his duty, he was in charge of large-scale investigations.

But on October 25th he was arrested under the charge of a multi-million fraud scheme at a Columbian bank. He had in his possession remote access to 1.159 ATMs across Colombia and a modified version of legitimate ATM software that paved the way for other members of the criminal organization to commit fraud in six different cities in less than 48 hours. To launch the attack the former police officer used a modified version of the ATM management software distributed by the manufacturer and their technical staff. He used his clearance to access the software, that after installation interacted with the XFS standard to send commands to the ATM. In this case, the target was the Diebold ATM machine. After the attack, a special access was granted that permitted the installation of any ATM malware including Ploutus. The name of the malware as described by the researchers is Trojan.MSIL.Agent and Backdoor.MSIL.Ploutus.

Last but not least, we have to consider the country of nationwide corruption scandals: Brazil. Brazil is known for the development and spread of locally build malware to target both ATM and PoS devices. Researchers found out in 2017 a new malware named Prilex being spread that was developed from scratch by Brazilian criminals, that doesn’t have similarities with another malware family. The difference in Brazilian malware is that instead of using the common XFS library to interact with the ATM sockets it uses a specific library of vendors. There is a suspicion of insider threats sharing information with criminals due to the cybercriminals deep knowledge about the network diagram as well as the internal structure of the ATM used by the banks. A specific user account of an employee of the bank was found that also raised the doubt of a targeted attack taking place to exfiltrate information.

The malware was named by researchers as Trojan.Win32.Prilex and once running it is capable of dispersing money from the sockets using special windows that are activated through a specific key combination. It also contains a component that reads and collects data from the magnetic stripe of the cards used at the ATMs infected with the malware. Measures were taken globally to reduce credit card fraud, but researcher discovered another development of Brazilian criminals to steal card data and clone chip and pin cards.

A modified version of the malware with additional features was discovered by researchers aimed to infect point of service (PoS) terminals to collect card data. This new variant is capable of modifying PoS software to allow a third party to capture the data transmitted to a bank. The Prilex group also developed new ways to clone cards and bypass security mechanisms. The card works based on a standard called EMV. The chip on the card is a microcomputer that can run applications and once inserted in a PoS terminal it begins a sequence of four steps.

The first step is called initialization and the terminal receives basic information like cardholder name, expiration date, and the applications installed. The second step is data authentication where the terminal checks if the card is authentic using cryptographic algorithms. On the third step called cardholder verification, the user is requested to provide the PIN code to prove he is the owner of the card. The fourth step is where the transaction happens. As noted by the researchers only step one and forth are mandatory. For this reason, Brazilian criminals can easily bypass authentication and verification steps.

The number and the complexity of steps needed for transactions depend on the available applications on the card, which the PoS asks the card during its first handshake. As the researchers notice, the criminals created a Java application for cards to run that has two functions. The first tells the PoS terminal that data authentication is not necessary bypassing in this way the cryptographic operation. The second function is based on the EMV standard to check if the PIN is correct on the application running in the card. The cybercriminals application can validate any PIN as correct no matter what PIN is informed. Even random numbers are accepted as a valid input.

The researchers discovered a complex infrastructure where Prilex operates. Besides the Java applet, a client application called “Daphne” is used to write information on smart cards and a database with card numbers and other data. The daphne application is used to check the amount of money that can be withdrawn with the card and to clone both credit and debit cards. The cybercriminals sell the application as a package to other criminals in Brazil to clone cards.

On its recommendations, the report lists two scenarios, one with direct bank losses and other with losses to the customers. The attackers will have to bypass the customer authentication mechanisms or bypass ATM security. Criminals are shifting from physical attacks to logical attacks that helps them to go unnoticed for longer periods of time. The researchers suggest that manufacturers and vendors should improve security measures and work with antimalware companies to better address logical attacks. The researchers also suggest the use o Threat Intelligence to further collect information on new developments of malware families.

To address the card cloning issue, the researchers recommend a constant verification of the card transaction history and the communication to the bank in case of suspicious activity. None the less, the researchers recommend that users only use AndroidPay or Applepay to avoid the disclosure of card data and to separate a card to internet payments. Finally, it is recommended to users to avoid keep large sums of money on the card.


About the author Luis Nakamoto

Luis Nakamoto is a Computer Science student of Cryptology and an enthusiastic of information security having participated in groups like Comissão Especial de Direito Digital e Compliance (OAB/SP) and CCBS (Consciência Cibernética Brasil) as a researcher in new technologies related to ethical hacking, forensics and reverse engineering. Also, a prolific and compulsive writer participating as a Redactor to Portal Tic from Sebrae Nacional.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – malware, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment