FireEye discovers a new string of ATM malware

Sep 11, 2015 19:47 GMT  ·  By

FireEye researchers have identified a new malware string that targets ATMs (Automated Teller Machines) using a set of sophisticated procedures that can block debit cards inside the machine and only let them out when the malware author can safely pick them up without being noticed.

This new malware was named SUCEFUL by the FireEye researchers because its authors have mistyped the word "successful" in the message shown after an operation is properly executed.

While in early 2013 and 2014 ATM malware like Ploutus and PadPin were making the rounds across the globe helping criminals empty ATMs of their cash, the new SUCEFUL strand represents an advancement in the art of ATM malware design.

One of the most sophisticated ATM malware ever seen

According to FireEye's security researchers, SUCEFUL comes with a broad range of features that give criminals almost full control over the ATM itself.

SUCEFUL's code analysis reveals that criminals can infect ATMs, regardless of their underlying vendor or platform, and read data from the card's track data (magnetic black strip), read data from the card's chip (if the card has one), block cards inside ATM machines, eject cards on demand, disable ATM security sensors, and even control the malware's operation via the ATM's number pad.

All of this is possible because the individuals who designed the malware are not mere hackers that leverage flaws in the ATM's vendor software, but instead they have carefully studied ATM design in general and created a platform-agnostic malware that mimics management software programs connected to the ATM by bank tellers or maintenance crews.

SUCEFUL interacts with the ATM's XFS APIs

Under the hood, SUCEFUL works by interacting with a special middleware that's present in all ATMs, the XFS (eXtensions for Financial Services) Manager.

Because ATM hardware is different based on the machine's manufacturer, and the software is different based on the operating bank, the XSF Manager works as a middle layer between the two, providing APIs for translating software instructions to electronic signals in the hardware.

Since SUCEFUL was designed just like a Windows desktop software, the malware will connect to the XSF Manager's APIs (see graph below), and take over the ATM.

Once this has happened, criminals can then alter normal ATM behavior so that it suits their own mode of operation.

The first instance of the malware was detected on August 25 when a version of it was uploaded on VirusTotal, probably for testing purposes. This also means that SUCEFUL, even if quite complex in its current form, is still under development and we may see an even more powerful version in the upcoming months.

SUCEFUL's mode of operation
SUCEFUL's mode of operation

Photo Gallery (2 Images)

SUCEFUL is a powerful, new ATM malware
SUCEFUL's mode of operation
Open gallery