ATMJackpot, a new strain of ATM Malware discovered by experts

Pierluigi Paganini April 08, 2018

A new strain of ATM jackpotting malware dubbed ATMJackpot has been discovered by experts at Netskope Threat Research Labs.

The malware is still under development and appears to have originated in Hong Kong, it has a smaller system footprint compared with similar threats.

“Netskope Threat Research Labs has discovered a new ATM malware, “ATMJackpot.” The malware seems to have originated from Hong Kong and has a time stamp on the binary as 28th March 2018.” reads the analysis published by the experts at Netskope.

“It is likely that this malware is still under development. Compared with previously-discovered malware, this malware has a smaller system footprint,”

The malware has a smaller system footprint, it has a simple graphical user interface that displays a limited number of information, including the hostname, the service provider information such as cash dispenser, PIN pad, and card reader information.

ATMJackpot malware

At the time, it is not clear that attack vector for the ATMJackpot malware, usually this kind of malware are manually installed via USB on ATMs, or downloaded from a compromised network.

“ATM Malware propagates via physical access to the ATM using USB, and also via the network by downloading the malware on to already-compromised ATM machines using sophisticated techniques.” continues the analysis.

ATMJackpot malware first registers the windows class name ‘Win’ with a procedure for the malware activity, then the malicious code creates the window, populates the options on the window, and initiates the connection with the XFS manager.

The XFS manager implements API to access that allow controlling the ATM devices from different vendors. The malware opens a session with the service providers and registers to monitor events, then it opens a session with the cash dispenser, the card reader, and the PIN pad service providers.

Once the session with service providers are opened, the malware is able to monitor events and issue commands.

Experts believe authors of the malware will continue to improve it and they expect it will be soon detected in attacks in the wild.

The number of ATM jackpot attacks is increasing in recent years, in January US Secret Service warned of cybercriminals are targeting ATM machines in the US forcing them to spit out hundreds of dollars with ‘jackpotting‘ attacks.

In May 2017, Europol arrested 27 for jackpotting attacks on ATM across Europe, in September 2017 Europol warned that ATM attacks were increasing.

Criminal organizations are targeting ATM machines through the banks’ networks, the operations involve squads of money mules for the cashout.

“The malware being used has evolved significantly and the scope and scale of the attacks have grown proportionately,” said Steven Wilson, head of Europol’s EC3 cyber crime centre.

A few weeks ago, the alleged head of the Carbanak group was arrested in Spain by the police, the gang is suspected of stealing about £870m (€1bn) in a bank cyberheist.

Further information on ATM Malware and jackpotting are available here.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – ATMJackpot, jackpotting )

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment