Sunday, January 26, 2025
HomeMalwareATM Malware Called "ATMii" allows Hackers to Dispense all the Cash...

ATM Malware Called “ATMii” allows Hackers to Dispense all the Cash from the ATM

Published on

SIEM as a Service

Follow Us on Google News

ATM Malware Called “ATMii” could allow Cyber Criminals to Hack and Dispense the Cash from ATM by Infecting the ATM Machine which is Running Windows 7 and Windows XP.

In order to gain  Complete control of the Targeting ATM, Attacker needs to have Direct access either via the network or Physical access using USB for Directly injecting the ATMii Malware.

Many ATM’s are still Running the old version of Windows XP, Windows 7 that could have highly possible compromise vectors and vulnerable to attack advance ATM Malware.

Last Few Years Many ATM Based Malware is Discovered by Security Researchers and various Successful incidents that Compromise the ATM was Documented.

Unlike Physical ATM Based Attacks, Network-Based Malware Attacks Helps More to Cyber Criminals to Initiate easily and Successfully gain Access to the ATM would Means Hackers don’t have to go to the machines anymore.

How Does ATM Malware ATMii work

ATMii is not much Complex and it Consisting of two modules which is an injector module (exe.exe) and this will be injected into (dll.dll) module.

An unprotected command line application exe.exe Performing inject and control operation written in Visual C.

Injector Timestamp shows Fri Nov 01 14:33:23 2013 UTC which Meant that this ATMii has been developed on 4 years before from current date but Researcher believe that it is a Fake timestamp that is used for Evade the Orginal timestamp.

According to Kaspersky, It is the PROCESS_ALL_ACCESS constant, but this constant value differs in older Windows versions such as Windows XP. This is interesting because most ATMs still run on Windows XP, which is thus not supported by the malware.

OpenProcess call with the PROCESS_ALL_ACCESS constant


A list of PROCESS_ALL_ACCESS values per Windows version

In this case, proprietary ATM software called atmapp.exe targeted by the Injector(exe.exe). The application searches for a process of atmapp.exe and injects the malicious DLL file into the legitimate atmapp.exe Then it will completely gain control over the ATM.

ATMii Using 3 type of parameter that is (/load, /cmd, /unload) for load the Malicious Process, update the Process and unload the Process to restores the process to its original state.

At the time of First Call, WFSGetInfo Function library tries to find the ATM’s CASH_UNIT service id.If the CASH_UNIT service is not found, dll.dll won’t function. If service will be available then it will execute the further command to cash out.

ATMii is yet another example of how criminals can use legitimate proprietary libraries and a small piece of code to dispense money from an ATM. Some appropriate countermeasures against such attacks are default-deny policies and device control. Kaspersky said.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Beware of Fake Captcha Verifications Spreading Lumma Malware

In January, Netskope Threat Labs uncovered a sophisticated global malware campaign leveraging fake CAPTCHA...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Murdoc Botnet Exploiting AVTECH Cameras & Huawei Routers to Gain Complete Control

Researchers have identified an active malware campaign involving a Mirai botnet variant, dubbed Murdoc,...