14 DAY TRIAL // A new ATM malware family is infecting ATMs in Mexico (for the moment), allowing attackers to enter two special PIN codes in the ATM and empty its cash reserve.
The ATM malware was first spotted and analyzed by security researchers from Proofpoint, who found it had similarities with the Padpin ATM malware detected by Kaspersky in October 2014, mainly in Russia and Eastern Europe.
This new malware, named GreenDispenser, is slightly different, coming with two features that make it very hard to detect, and allow it to disable itself after a certain period of time.
Infection requires physical access to the ATM
According to Proofpoint, infection requires physical access to the ATM, which makes them believe this may be an inside job, or that bank personnel may not be able to spot modifications made to the ATM during the malware's installation.
Fortunately, there's a simple way to recognize infected ATMs, all sporting a fake out of service message that reads, "Temporalmente fuera de servicio," which is Spanish for "Temporarily out of service."
Once installed, just like SUCEFUL, a recently discovered ATM malware piece, GreenDispenser uses the XFS middleware to allow attackers to interact with the malware's code from the ATM's PIN pad.
This is crucial because the malware was designed to empty the ATM's money reserve on command, which happens only when an attacker orders it to do so after authenticating themselves on the ATM.
Attackers use two PIN codes to authenticate themselves
Authentication is done by typing a first PIN, hard-coded in the malware's code, and then a secondary PIN, which Proofpoint researchers say is acquired from the barcode label attached on each ATM.
The malware additionally comes with a deep delete function, which attackers can trigger to delete their tracks after they've emptied the ATM.
In case access to the ATM cannot be achieved for various reasons, the malware comes with a secondary protection measure, which is hard-coded in its source code.
Basically, every time GreenDispenser starts up, it checks the year and month, and if they are after its hard-coded value, it will not execute.
This allows it to remain hidden until the attackers update it with a newer version, or delete it themselves later on to cover their tracks.