According to Kaspersky Lab, which has been working with Interpol on the issue, the malware - Tyupkin - allows criminals to gain cardless access to ATM funds using six digit access codes.
Vicente Diaz, Kaspersky's principal security researcher said that the fraud shows that criminals are improving their tactics and appear to be able to gain enough access to ATMs to install program code.
Kaspersky claims that the Tyupkin malware does not infect ATMs, but must be installed via physical access to the device. The criminals are then are able to check the amount of notes in each of the ATM's cartridges and select from which cartridge to draw up to 40 notes at a time.
Diaz says that, based on his observations, he strongly advises banks to review the physical security of their ATMs and network infrastructure.
Kaspersky discovered the existence of the malware during a forensic examination into attacks on ATMs, revealing the presence of Tyupkin, which allows attackers to empty the cash machines via direct manipulation.
The criminals behind the attack, says the security vendor, tend to work at night - usually only on Sundays and Mondays.
Without inserting a card into the ATM slot, they enter a combination of digits on the ATM's keyboard, make a call to receive further instructions from an operator, enter another set of numbers and the ATM starts giving out cash, after which they leave.
The attack process operates in two stages. Firstly, Kaspersky says the criminals gain physical access to the ATMs and insert a bootable CD to install the Tyupkin malware, at which stage the system is rebooted and the machine is then available for code-based withdrawals.
According to Kaspersky Lab, video footage obtained from security cameras at the infected ATMs revealed the methodology used to access cash from the machines.
"A unique six-digit combination key based on random numbers is freshly generated for every session. This ensures that no person outside the gang could accidentally profit from the fraud. Then the malicious operator receives instructions by phone from another member of the gang who knows the algorithm and is able to generate a session key based on the number shown. This ensures that the mules collecting the cash do not try to go it alone," says the security vendor.
Sanjay Virmani, director of Interpol's digital crime centre, said that offenders are constantly identifying new ways to evolve their methodologies to commit crimes, and it is essential that we keep law enforcement in our member countries involved - and informed - about current trends and modus operandi.
Countering the risk
To reduce the risk of a successful attack, Kaspersky and Interpol say that banks should review the physical security of their ATMs and consider investing in quality security solutions, alarming the units and replacing all locks plus master keys on the hood of the cash machines, as well as ditching the default settings provided by the manufacturer.
Kaspersky has also posted a video of Tyupkin in action:
Rob Bamforth, a principal analyst with Quocirca, the business and IT analysis house, said that the arrival of the Tyupkin malware in the wild is a worrying development, but highlights the dangers of using outdated operating systems, even if they are used in embedded versions.
"More than anything I think it highlights the fact that there are different set of security challenges associated with using an embedded version of an OS. Hardware systems using embedded OS technology have a lifespan far greater than conventional desktop computers. This causes problems in an industry where the security of a computer is based on the need to update and/or patch the operating system. With embedded OS-based systems, you don't normally have this option," he explained.
Bamforth went on to say that the key to success with this malware appears to centre on the criminals gaining physical access to the ATM.
"If you prevent physical access, then you have solved the security issue. The challenge for banks is that many of their ATMs, however, are located in places where the pubic - as well as the bank staff - have access. I think banks will have to look very seriously at the physical access issue if they are to counter this problem," he said.