Thursday, June 13, 2024

ATM Malware Called “ATMii” allows Hackers to Dispense all the Cash from the ATM

ATM Malware Called “ATMii” could allow Cyber Criminals to Hack and Dispense the Cash from ATM by Infecting the ATM Machine which is Running Windows 7 and Windows XP.

In order to gain  Complete control of the Targeting ATM, Attacker needs to have Direct access either via the network or Physical access using USB for Directly injecting the ATMii Malware.

Many ATM’s are still Running the old version of Windows XP, Windows 7 that could have highly possible compromise vectors and vulnerable to attack advance ATM Malware.

Last Few Years Many ATM Based Malware is Discovered by Security Researchers and various Successful incidents that Compromise the ATM was Documented.

Unlike Physical ATM Based Attacks, Network-Based Malware Attacks Helps More to Cyber Criminals to Initiate easily and Successfully gain Access to the ATM would Means Hackers don’t have to go to the machines anymore.

How Does ATM Malware ATMii work

ATMii is not much Complex and it Consisting of two modules which is an injector module (exe.exe) and this will be injected into (dll.dll) module.

An unprotected command line application exe.exe Performing inject and control operation written in Visual C.

Injector Timestamp shows Fri Nov 01 14:33:23 2013 UTC which Meant that this ATMii has been developed on 4 years before from current date but Researcher believe that it is a Fake timestamp that is used for Evade the Orginal timestamp.

According to Kaspersky, It is the PROCESS_ALL_ACCESS constant, but this constant value differs in older Windows versions such as Windows XP. This is interesting because most ATMs still run on Windows XP, which is thus not supported by the malware.

OpenProcess call with the PROCESS_ALL_ACCESS constant

A list of PROCESS_ALL_ACCESS values per Windows version

In this case, proprietary ATM software called atmapp.exe targeted by the Injector(exe.exe). The application searches for a process of atmapp.exe and injects the malicious DLL file into the legitimate atmapp.exe Then it will completely gain control over the ATM.

ATMii Using 3 type of parameter that is (/load, /cmd, /unload) for load the Malicious Process, update the Process and unload the Process to restores the process to its original state.

At the time of First Call, WFSGetInfo Function library tries to find the ATM’s CASH_UNIT service id.If the CASH_UNIT service is not found, dll.dll won’t function. If service will be available then it will execute the further command to cash out.

ATMii is yet another example of how criminals can use legitimate proprietary libraries and a small piece of code to dispense money from an ATM. Some appropriate countermeasures against such attacks are default-deny policies and device control. Kaspersky said.


Latest articles

CISA Warns of Scammers Impersonating as CISA Employees

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a surge...

Microsoft Windows Ntqueryinformationtoken Flaw Let Attackers Escalate Privileges

Microsoft has disclosed a critical vulnerability identified as CVE-2024-30088.With a CVSS score of 8.8, this flaw affects Microsoft...

256,000+ Publicly Exposed Windows Servers Vulnerable to MSMQ RCE Flaw

Cybersecurity watchdog Shadowserver has identified 256,000+ publicly exposed servers vulnerable to a critical Remote...

Indian National Jailed For Hacked Servers Of Company That Fired Him

An Indian national was sentenced to two years and eight months in jail for...

JetBrains Warns of GitHub Plugin that Exposes Access Tokens

A critical vulnerability (CVE-2024-37051) in the JetBrains GitHub plugin for IntelliJ-based IDEs (2023.1 and...

Critical Flaw In Apple Ecosystems Let Attackers Gain Unauthorized Access

Hackers go for Apple due to its massive user base along with rich customers,...

Hackers Exploiting Linux SSH Services to Deploy Malware

SSH and RDP provide remote access to server machines (Linux and Windows respectively) for...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles