Sunday, September 8, 2024
HomeMalwareATM Malware Called "ATMii" allows Hackers to Dispense all the Cash...

ATM Malware Called “ATMii” allows Hackers to Dispense all the Cash from the ATM

Published on

ATM Malware Called “ATMii” could allow Cyber Criminals to Hack and Dispense the Cash from ATM by Infecting the ATM Machine which is Running Windows 7 and Windows XP.

In order to gain  Complete control of the Targeting ATM, Attacker needs to have Direct access either via the network or Physical access using USB for Directly injecting the ATMii Malware.

Many ATM’s are still Running the old version of Windows XP, Windows 7 that could have highly possible compromise vectors and vulnerable to attack advance ATM Malware.

Last Few Years Many ATM Based Malware is Discovered by Security Researchers and various Successful incidents that Compromise the ATM was Documented.

- Advertisement - EHA

Unlike Physical ATM Based Attacks, Network-Based Malware Attacks Helps More to Cyber Criminals to Initiate easily and Successfully gain Access to the ATM would Means Hackers don’t have to go to the machines anymore.

How Does ATM Malware ATMii work

ATMii is not much Complex and it Consisting of two modules which is an injector module (exe.exe) and this will be injected into (dll.dll) module.

An unprotected command line application exe.exe Performing inject and control operation written in Visual C.

Injector Timestamp shows Fri Nov 01 14:33:23 2013 UTC which Meant that this ATMii has been developed on 4 years before from current date but Researcher believe that it is a Fake timestamp that is used for Evade the Orginal timestamp.

According to Kaspersky, It is the PROCESS_ALL_ACCESS constant, but this constant value differs in older Windows versions such as Windows XP. This is interesting because most ATMs still run on Windows XP, which is thus not supported by the malware.

OpenProcess call with the PROCESS_ALL_ACCESS constant


A list of PROCESS_ALL_ACCESS values per Windows version

In this case, proprietary ATM software called atmapp.exe targeted by the Injector(exe.exe). The application searches for a process of atmapp.exe and injects the malicious DLL file into the legitimate atmapp.exe Then it will completely gain control over the ATM.

ATMii Using 3 type of parameter that is (/load, /cmd, /unload) for load the Malicious Process, update the Process and unload the Process to restores the process to its original state.

At the time of First Call, WFSGetInfo Function library tries to find the ATM’s CASH_UNIT service id.If the CASH_UNIT service is not found, dll.dll won’t function. If service will be available then it will execute the further command to cash out.

ATMii is yet another example of how criminals can use legitimate proprietary libraries and a small piece of code to dispense money from an ATM. Some appropriate countermeasures against such attacks are default-deny policies and device control. Kaspersky said.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Vulnerabilities in IBM Products Let Attackers Exploit & Launch DOS Attack

IBM has issued a security bulletin addressing critical vulnerabilities in its MQ Operator and...

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Researchers Unpacked AvNeutralizer EDR Killer Used By FIN7 Group

FIN7 (aka Carbon Spider, ELBRUS, Sangria Tempest) is a Russian APT group that is...

Lazarus Hackers Attacking Job-Seekers to Deliver Javascript Malware

The Lazarus Group is one of the most notorious hacker groups linked to the...