ATM MALWARE

Recommendations

Info

Figure 2: FTP Download Next, the attacker can activate the malicious software on the ATM machine, which is illustrated in Figure 3 below. Figure 3: Backdoor.ATM.Suceful Panel In this case, RSA Security Analytics can easily identify and alert of the use of RDP and FTP communications protocols. This is illustrated in the Detection Section of this paper. CASH THEFT METHODS TROJANSPY:ATM/PLOUTUS The Ploutus variant, discussed above, uses an interesting approach to dispense cash. Initially, the attackers install the malware on the machine, which is connected to a mobile phone via a USB cable. Once connected, the attacker sends two SMS messages to the mobile phone; one for the activation of the malware, and the second containing a command to dispense money from the machine. The messages received on the phone are forwarded to the ATM as a TCP or UDP packet, and executed by the Ploutus malware. This will ultimately result in the ATM dispensing a preconfigured amount of money that will be collected physically by the mule.
Figure 4: Ploutus Attack Scenario BACKDOOR.ATM.TYUPKIN Like the Ploutus variant, Tyupkin also requires physical access to the ATM to install the malware, which then employs several techniques to avoid detection. First, the malware is only active during specific time ranges at night on certain days of the week (typically Sunday and Monday). The malware also needs a key-based random seed for every session. When both of these requirements are satisfied, the malware will display the amount of money available in the cassettes loaded in the machine. The mule then selects the cassette(s) from which to withdraw funds. BACKDOOR.ATM.SUCEFUL The Backdoor.ATM.Suceful variants will establish a connection with the terminal XFS manager, allowing the attackers to create their own interface (using the native APIs WFSExecute) to control the system. The attacker can then open sessions with (and disable) other relevant peripherals including: Door sensors Alarm sensors Proximity sensors The WFSExecute API can also read payment card data, including the cardholder name, account numbers, expiration dates and the encrypted PIN. The attacker can also instruct the device to retain ATM cards, preventing the victim from removing his/her card. If he/she physically leaves the ATM, then the attacker or his mules can retrieve the stolen card. BACKDOOR.ATM.GREENDISPENSER Like previous ATM malware families, GreenDispenser requires physical access to install. Like the Tyupkin variant, it requires a form of two-factor authentication and only functions during specific timeframes. In many of the samples we analyzed, the malware only functioned on machines with clocks set from January to September 2015. There is also a post-op secure delete function. These functions are the result of XFS middleware exploits, and are likely intended to prevent or complicate forensic investigations.
Page 1 and 2: RSA ® INCIDENT RESPONSE REPORT: TH
Page 3 and 4: EXECUTIVE SUMMARY The famous Americ
Page 5: speed the response time, reducing o
Page 9 and 10: Figure 6 below illustrates the way
Page 11 and 12: passwords as they are entered. In a
Page 13 and 14: condition: all of them and // MZ si

ATM MALWARE

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?