ATMii: a small but effective ATM robber
IT security researchers at Kaspersky have found a new malware strain called ATMii because it hits ATMs that run on Windows 7 and Windows Vista. This means the malware is useless on a majority of ATMs since most of them nowadays use Windows XP. It too hints at the event that the executive of ATMii is deliberately attacking the ATMs of a certain network and the malware strain has been designed to steal from those machines only.
ATMii was discovered in April 2017 after one of the attacked banks shared a sample with the security researchers at Kaspersky Lab. The organization investigated ATMii and announced the technical breakdown of its capabilities.
As per the analysis of Kaspersky’s senior developer Konstantin Zykov, this particular malware strain isn’t as powerful or dangerous as other ATM malware strains identified so far such as Rufus, GreenDispenser, Ploutus, SUCEFUL, Skimer, etc. The undivided force includes two files only called the exe.exe and dll.dll.
“The malware turned out to be fairly straightforward, consisting of only two modules: an injector module (exe.exe, 3fddbf20b41e335b6b1615536b8e1292) and the module to be injected (dll.dll, dc42ed8e1de55185c9240f33863a6aa4). Use that malware, criminals need direct entrance to the target ATM, either over the system or actually (e.g., over USB). ATMii, if it is successful, allows criminals to dispense all the cash from the ATM,” wrote Zykov in its blog post.
ATMii is fixed on the ATMs(Automated Teller Machine) through access to the network or a USB device. The attacker can copy these two files on the storage drive of ATM and execute the exe.exe file, which will start searching for the basic atmapp.exe process. The exe.exe file injects dll.dll file. This file lets the attacker associated with the known atmapp.exe process and takes control of the machine.
dll.dll injecting module.
The injector is written in Visual C language while it is an unprotected command line application compiled with timestamp: Fri Nov 01 14:33:23 2013 UTC, explained Zykov. The compilation timestamp, as evident, is about four years old and it is quite unrealistic to believe that the malware remained unnoticed for such a long time. Therefore, it can be assumed that the attackers have used a fake timestamp.
Another interesting fact identified by Zykov is that the malware strain supports three commands to carry out its malicious operations. The Scan command scans the ATM’s cash cassettes to get the complete list of bills stored in the machine at the time of the attack. Through Disp command, attackers can dispense as much cash as they need and with Die command, attackers can instruct the malware to removes itself.
||Scans for the CASH_UNIT XFS service
||Stands for “dispense”. The injected module should dispense “amount” cash of “currency” (amount and currency are used as parameters)
||Gets info about ATM cash cassettes, all the returned data goes to the log file.
||Injected module removes C:ATMc.ini file