Monday, March 4, 2024

ATM Malware Called “ATMii” allows Hackers to Dispense all the Cash from the ATM

ATM Malware Called “ATMii” could allow Cyber Criminals to Hack and Dispense the Cash from ATM by Infecting the ATM Machine which is Running Windows 7 and Windows XP.

In order to gain  Complete control of the Targeting ATM, Attacker needs to have Direct access either via the network or Physical access using USB for Directly injecting the ATMii Malware.

Many ATM’s are still Running the old version of Windows XP, Windows 7 that could have highly possible compromise vectors and vulnerable to attack advance ATM Malware.

Last Few Years Many ATM Based Malware is Discovered by Security Researchers and various Successful incidents that Compromise the ATM was Documented.

Unlike Physical ATM Based Attacks, Network-Based Malware Attacks Helps More to Cyber Criminals to Initiate easily and Successfully gain Access to the ATM would Means Hackers don’t have to go to the machines anymore.

How Does ATM Malware ATMii work

ATMii is not much Complex and it Consisting of two modules which is an injector module (exe.exe) and this will be injected into (dll.dll) module.

An unprotected command line application exe.exe Performing inject and control operation written in Visual C.

Injector Timestamp shows Fri Nov 01 14:33:23 2013 UTC which Meant that this ATMii has been developed on 4 years before from current date but Researcher believe that it is a Fake timestamp that is used for Evade the Orginal timestamp.

According to Kaspersky, It is the PROCESS_ALL_ACCESS constant, but this constant value differs in older Windows versions such as Windows XP. This is interesting because most ATMs still run on Windows XP, which is thus not supported by the malware.

OpenProcess call with the PROCESS_ALL_ACCESS constant


A list of PROCESS_ALL_ACCESS values per Windows version

In this case, proprietary ATM software called atmapp.exe targeted by the Injector(exe.exe). The application searches for a process of atmapp.exe and injects the malicious DLL file into the legitimate atmapp.exe Then it will completely gain control over the ATM.

ATMii Using 3 type of parameter that is (/load, /cmd, /unload) for load the Malicious Process, update the Process and unload the Process to restores the process to its original state.

At the time of First Call, WFSGetInfo Function library tries to find the ATM’s CASH_UNIT service id.If the CASH_UNIT service is not found, dll.dll won’t function. If service will be available then it will execute the further command to cash out.

ATMii is yet another example of how criminals can use legitimate proprietary libraries and a small piece of code to dispense money from an ATM. Some appropriate countermeasures against such attacks are default-deny policies and device control. Kaspersky said.

Website

Latest articles

US Court Orders NSO Group to Handover Code for Spyware, Pegasus to WhatsApp

Meta, the company that owns WhatsApp, filed a lawsuit against NSO Group in 2019....

New SSO-Based Phishing Attack Trick Users into Sharing Login Credentials  

Threat actors employ phishing scams to trick individuals into giving away important details like...

U.S. Charged Iranian Hacker, Rewards up to $10 Million

The United States Department of Justice (DoJ) has charged an Iranian national, Alireza Shafie...

Huge Surge in Ransomware-as-a-Service Attacks targeting Middle East & Africa

The Middle East and Africa (MEA) region has witnessed a surge in ransomware-as-a-service (RaaS)...

New Silver SAML Attack Let Attackers Forge Any SAML Response To Entra ID

SolarWinds cyberattack was one of the largest attacks of the century in which attackers...

AI Worm Developed by Researchers Spreads Automatically Between AI Agents

Researchers have developed what they claim to be one of the first generative AI...

20 Million+ Cutout.Pro User Records Leaked On Hacking Forums

CutOut.Pro, an AI-powered photo and video editing platform, has reportedly suffered a data breach,...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles