April 10, 2018 at
Newly discovered malware that uses the method of ATM jackpotting has been revealed. Threat researcher pinpointed its place of origin to be Hong Kong, and believe the threat to still be under development.
These types of logical attack malware have earned the name “jackpotting” due to the fact that they, after recording data, are used to give out large amounts of cash. Generally, the automatic teller machines are compromised by the ways of USB drives or by downloading malicious code through the internal network.
Threat analysts at Netskope Labs have detected the new ATMJackpot malware recently as Gen:Variant.Razy.255528. In addition to its source believed to be in Hong Kong, researchers state that the binary code’s timestamp is March 28th, 2018. The malicious software is reportedly not very sophisticated yet, as the rather rudimentary graphical user interface only shows the hostname, as well as data regarding the service provider, such as cash dispensers, PIN pad, and card reader information.
The attack’s method
While Netskope’s threat analysts are as yet uncertain how this malware is distributed, they have showcased what, and how, it is programmed to do. The main scope of it is to steal from the ATM money supplies.
The operating systems on ATMs are quite familiar to criminals, and as such is very easy to get into and infect. This unfortunate fact makes distribution via USBs the most likely culprit.
The first step of this ATMJackpot is to register its class name as “Win” with a procedure which then carries the load for the rest of the malware’s activity. It establishes a connection to the extensions for financial services (XFS) manager. The malware then starts a session to record events regarding the service providers of the cash dispenser, card reader, and PIN pad.
In addition to recording events, ATMJackpot will also execute a series of commands. These have the ability to freely read PIN pad data, the ability to dispense money and to eject the card.
The threat researchers of Netskope Labs say that they will keep an eye on this new threat called ATMJackpot, and will publish updated with new information as they become available.
Read Netskope’s report here: https://www.netskope.com/blog/netskope-discovers-atmjackpot-siphoning-cash/
A history of ATM malware
Unfortunately, this is by far not the first attack on ATMs recorded. It dates back as far as 2014 when malware originating in Europe spread to some areas in Asia. In 2017, Europol has issued a warning about jackpotting, stating that such attacks were becoming more and more prevalent, as well as more sophisticated, and increasing in terms of scale.
The United States has also experienced ATM jackpotting early this year. It is believed that over $1.24 million was siphoned, and the culprit was the infamous Carbanak group. After releasing a security alert, a worldwide operation was launched against the group. While the operation has brought fruit when a suspected head of the criminal ring was arrested in March, it is suspected that the Carbanak group has not stopped its activities, or that another team is behind the recent ATM jackpotting attacks.