ATM MALWARE
dfhjr
dfhjr
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Analysts using RSA ECAT can triage systems across the network with minimal effort, drastically decreasing the overall response time.<br />
When an organization deploys RSA ECAT on <strong>ATM</strong>s and properly baselines those systems, the process of detecting anomalous activity<br />
is even easier. Whitelisting and blacklisting of files with RSA ECAT can also streamline the monitoring and investigation processes.<br />
RSA ECAT DETECTION: TROJANSPY:<strong>ATM</strong>/PLOUTUS<br />
TrojanSpy:<strong>ATM</strong>/Ploutus allows criminals to use a mobile phone to access an <strong>ATM</strong> by sending a simple text message that ultimately<br />
results in cash being immediately dispensed. The variant we analyzed, Backdoor.Ploutus.B, is an evolution of the malware and was<br />
used in several bank thefts between 2013 and 2015. This malware is a Trojan horse that opens a back door on a compromised <strong>ATM</strong><br />
using a USB link to a connected mobile phone enabling the attacker to manage the <strong>ATM</strong> via text messages (SMS). Running an RSA<br />
ECAT agent (version 4.1 was used for this analysis) on an <strong>ATM</strong> terminal infected with Backdoor.Ploutus.B quickly detects the<br />
malicious process. RSA ECAT scores modules from 1 to 1024, where a higher score indicates a higher confidence that the process is<br />
malicious. The figure below shows the threat score collected from RSA ECAT.<br />
Figure 8: ECAT Score for Win32.Ploutus Malware<br />
RSA ECAT DETECTION: BACKDOOR.<strong>ATM</strong>.TYUPKIN<br />
Backdoor.<strong>ATM</strong>.Tyupkin is another malware variant that allows cyber criminals to empty cash machines via direct manipulation. Once<br />
inside the bank’s network, the attacker can traverse the network and introduce secondary tools to harvest credentials and obtain the<br />
data they are seeking. Once attackers have the data they need to exfiltrate it, potentially using a staging server on the bank’s<br />
network, RSA ECAT can quickly identify the Backdoor.<strong>ATM</strong>.Tyupkin process on an infected system. This is illustrated in Figure 9. If<br />
the Yara signatures, which are included with this report, are deployed to RSA ECAT, this module would have received a score of 1024<br />
(the worst possible score).<br />
Figure 9: RSA ECAT score on Backdoor.<strong>ATM</strong>.Tyupkin<br />
RSA ECAT DETECTION: BACKDOOR.<strong>ATM</strong>.SUCEFUL<br />
Backdoor.<strong>ATM</strong>.Suceful is a newer variant in the <strong>ATM</strong> malware landscape. It incorporates features traditionally not built into <strong>ATM</strong><br />
malware. The new malware uses an advanced technique to target cardholders. Once the <strong>ATM</strong> system is infected, the malware is able<br />
to record card- and user-supplied data for the inserted credit or debit card, including payment account details, IDs and PIN