FireEye: First multi-vendor ATM malware targeting cardholders

The malware, SUCEFUL, can potentially be used to retain cards, disable alarms and read credit and debit card track data.
The malware, SUCEFUL, can potentially be used to retain cards, disable alarms and read credit and debit card track data.

Malware has been used to make ATMs dispense cash since as far back as 2013, but FireEye Labs said on Friday that it had discovered the first multi-vendor ATM malware specifically targeting cardholders.

The malware – detected as Backdoor.ATM.Suceful, or SUCEFUL – appears to have been created on 25 August, was recently uploaded to VirusTotal from Russia, and could possibly still be in its development phase, a Friday post said.

In Diebold or NCR ATMs, SUCEFUL is potentially capable of reading all credit and debit card track data, reading data from the chip of the card, and suppressing ATM sensors to avoid detection, the post said, adding that control of the malware could also be possible via the ATM PIN pad.

Perhaps most noteworthy is that the malware is capable of retention or ejection of the card on demand, which could be used to steal the physical card. The post described a situation where a person's card is not ejected, they walk away to ask for help, and during that time the attackers eject and steal the card.

So far FireEye has no evidence of how the malware gets installed on ATMs since it has not been observed in the wild, Daniel Regalado, senior staff malware researcher with FireEye, told SCMagazine.com in a Friday email correspondence.

Regalado said that “previous ATM threats like Ploutus or Padpin suggest that the crooks either open the upper portion of the ATM to insert a CD-ROM/ USB to transfer the malware, or hire employees with access to these machines to perform the installation.” 

SUCEFUL works by interacting with middleware known as XFS Manager.

“One benefit of the XFS Manager is that it is vendor independent, similar to Java's “Write once, run anywhere” mantra,” the post said. “This means that it can be used maliciously by ATM malware, so that it can run transparently in multiple hardware vendors. This is the case of SUCEFUL, which is targeted for Diebold and NCR [ATMs].”

For those whose cards get stuck in an ATM, FireEye recommended keeping the bank's contact number handy so a call can be made without having to walk away from the machine.