A new malware which targets ATM and make them to spit out cash have been discovered by security experts.
Dubbed Alice, the malware which was discovered by Security experts from Trend Micro is designed to target the safes of ATM's and make them empty the stored cash.
Also Read: Netherlands Teen Hackers punishes 7 Indian embassies for ignoring security flaws
Although the malware was spotted last month November 2016 for the first time as part of a joint research project on ATM malware with Europol EC3, it is believed that the malware has been in existence since 2014.
According to TrendMicro, Alice malware appears different from other malware families. Alice cannot be controlled through the numeric pad of ATMs , neither does it have information stealing features which means it was made solely for the aim of emptying the ATMs. In order to empty the dispenser of its cash, the crooks would need physical access to the ATMs.
"The existence of a PIN code to money dispensing suggests that Alice is used only for in-person attacks. Neither does Alice have an elaborate install or uninstall mechanism - it works by merely running the executable in the appropriate environment," the blog read.
The blog went on to say that the malware only connects to the currencyDispenser1 peripheral and doesn't include the code to use the PIN pad which likely means it was designed for physical access.
"It only connects to the CurrencyDispenser1 peripheral and it never attempts to use the machine's PIN pad. The logical conclusion is that the criminals behind Alice need to physically open the ATM and infect the machine via USB or CD-ROM, then connect a keyboard to the machines's mainboard and operate the malware through it," the blog read
In an attack scenario, the money mule enter the ID of the cassette for the ATM to dispense the money in it. The dispense command is then sent to the CurrencyDispense1 peripheral via the WFSExecute API. What these criminals does is to manually replace the windows Task Manager (taskmgr.exe) with Alice, and by so doing, any command that is supposed to invoke the task manager would instead invoke Alice!
The Alice malware is packed with a commercial, off-the-shelf packer/obfusercator called VMProtect. The malware implements a number of features to avoid the analysis of the researcher, it prevents the execution in the environment that are not ATM and debuggers.
The following three commands which are issued through specific PINs are supported by Alice
- Drop a file for un-installation
- Exit the program run the un-installation/cleanup routine.
- Open the "operator panel" to see the amount of cash available in the ATM.
Below are the indicators of compromise. The files used in the analysis have the following hashes SHA256
- 04F25013EB088D5E8A6E55BDB005C464123E6605897BD80AC245CE7CA12A7A70
- B8063F1323A4AE8846163CC6E84A3B8A80463B25B9FF35D70A1C497509D48539