Go ask Alice: New ATM malware detected

News by Greg Masters

A new malware family dubbed Alice has been detected that is solely focused on making ATMs spit out cash.

A new malware family, dubbed Alice, has been detected that is solely focused on making ATMs spit out cash.

Unlike other ATM malware families, the "stripped down" malware does not enable attackers to control operations via the numeric keypad of ATMs and it does not contain information-stealing characteristics. Rather, it is designed solely to cause ATMs to give up their cash, according to Trend Micro, which first detected the malware last month.

Explaining that there have only been eight unique ATM malware families detected over the past nine years, the researchers said this new find is "remarkable because it shows a clear tendency for malware writers to attack an ever-increasing variety of platforms."

Malware attacks on ATMs have increased over the past three years because that's where the money is, wrote David Sancho and Numaan Huq, the co-authors of the report and both senior threat researchers at Trend Micro.

Looking at PE compilation times and Virus total submission dates, the researchers determined that Alice has been in the wild since at least October 2014.

Seeking particular registry keys to determine it is running on an ATM, the code first verifies that it is running within a proper Extensions for Financial Services XFS environment. It then connects to the CurrencyDispenser1 peripheral, the default name for the dispenser device in the XFS environment, the report explained. During this process, it is not issuing any commands that would establish a connection with other ATM hardware, which denies the attackers the ability to issue commands via the PIN pad.

But, after a correct PIN code is entered, Alice opens the "operator panel," a screen that displays the cassettes inside the ATM in which cash is stored. "When the money mule inputs the cassette number in the operator panel, the CurrencyDispenser1 peripheral is sent the dispense command via the WFSExecute API and stored cash is dispensed," the report said.

The researchers conclude that because of Alice's focus on attacking only the money safe via the CurrencyDispenser1 peripheral, the miscreants behind the malware are required to physically open the ATM in order to download the code via a USB or CD-ROM and then attach a keyboard to the device's mainboard to operate the malware.

Further, the researchers believe the code has been created to run on "any vendor's hardware configured to use the Microsoft Extended Financial Services middleware (XFS)."

The cyber thieves' use of obfuscation illustrates that they are becoming more sophisticated in their strategies, they said. "Today, they are using commercial off-the-shelf packers; tomorrow we expect to see them start to use custom packers and other obfuscation techniques."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews