ATM Malware

ATM Malware Called “ATMii” could allow Cyber Criminals to Hack and Dispense the Cash from ATM by Infecting the ATM Machine which is Running Windows 7 and Windows XP.

In order to gain  Complete control of the Targeting ATM, Attacker needs to have Direct access either via the network or Physical access using USB for Directly injecting the ATMii Malware.

Many ATM’s are still Running the old version of Windows XP, Windows 7 that could have highly possible compromise vectors and vulnerable to attack advance ATM Malware.

Last Few Years Many ATM Based Malware is Discovered by Security Researchers and various Successful incidents that Compromise the ATM was Documented.

Unlike Physical ATM Based Attacks, Network-Based Malware Attacks Helps More to Cyber Criminals to Initiate easily and Successfully gain Access to the ATM would Means Hackers don’t have to go to the machines anymore.

How Does ATM Malware ATMii work

ATMii is not much Complex and it Consisting of two modules which is an injector module (exe.exe) and this will be injected into (dll.dll) module.

An unprotected command line application exe.exe Performing inject and control operation written in Visual C.

Injector Timestamp shows Fri Nov 01 14:33:23 2013 UTC which Meant that this ATMii has been developed on 4 years before from current date but Researcher believe that it is a Fake timestamp that is used for Evade the Orginal timestamp.

According to Kaspersky, It is the PROCESS_ALL_ACCESS constant, but this constant value differs in older Windows versions such as Windows XP. This is interesting because most ATMs still run on Windows XP, which is thus not supported by the malware.

OpenProcess call with the PROCESS_ALL_ACCESS constant


A list of PROCESS_ALL_ACCESS values per Windows version

In this case, proprietary ATM software called atmapp.exe targeted by the Injector(exe.exe). The application searches for a process of atmapp.exe and injects the malicious DLL file into the legitimate atmapp.exe Then it will completely gain control over the ATM.

ATMii Using 3 type of parameter that is (/load, /cmd, /unload) for load the Malicious Process, update the Process and unload the Process to restores the process to its original state.

At the time of First Call, WFSGetInfo Function library tries to find the ATM’s CASH_UNIT service id.If the CASH_UNIT service is not found, dll.dll won’t function. If service will be available then it will execute the further command to cash out.

ATMii is yet another example of how criminals can use legitimate proprietary libraries and a small piece of code to dispense money from an ATM. Some appropriate countermeasures against such attacks are default-deny policies and device control. Kaspersky said.