A new family of ATM malware, dubbed ATMii, is using legitimate proprietary libraries and a small piece of code to cause the machines to spit out money and targets older Windows versions.
The malware was first spotted in April 2017 and was described as being y straightforward, consisting of only two modules including an injector module and the module to be injected, Kaspersky researcher Konstantin Zykov said in a 10 October blog post.
"To use this malware, criminals need direct access to the target ATM, either over the network or physically (eg over USB). ATMii, if it is successful, allows criminals to dispense all the cash from the ATM," Zykov said in the post.
The injector is an unprotected command line application, written in Visual C with a compilation timestamp dated Nov. 1, 2013, however, researchers believe the timestamp is fake.
Zykov said the best countermeasures against attacks using the malware are to use default-deny policies and device control to prevent criminals from running their own code on the ATM's internal PC and to prevent them from connecting new devices, such as USB sticks.
Travis Smith, principal security researcher at Tripwire, commented in an email to SC Media UK: "The ATMii malware is very targeted, not only because it only supports Windows 7, but also because it is targeted to a specific ATM executable (atmapp.exe). According to Kaspersky's initial report, this is a proprietary application, so it's unlikely this specific malware variant will have a large impact on the ATM market world wide. Even with minimal impact, it's quite easy to prevent the malware's infection path by implementing foundational controls. Limiting network access and disabling USB ports will reduce the attack surface enough that this simple type of malware won't make it onto an ATM."