Go to the profile of redens
redens

HOPLITE CYBER ATMOSPHERICS- NEW MALWARE TARGETS ATMS

Summary: Hoplite Cyber Atmospherics Reports- A new virus has been observed which turns an ATM into a skimmer without any outward signs of tampering. The virus is activated by attackers who collect the stolen cards and download them onto a heavily modified credit card’s smart chip.

Body

Analysts at Kaspersky labs have identified a devastating new variant of the Skimer malware family. The malware installs itself on ATMs and can be used to turn the entire ATM into a skimmer. Most ATM scams involve placing a device, called a skimmer, between the user and the card reader and pin pad, allowing the hacker to capture the card data. Knowledgeable users could detect that ATMs had been tampered with by looking for outward signs at the pin pad and the card reader. With Skimer, the card data is stored on the compromised ATM, leaving few visible signs of tampering.

The malware is installed either through physical access or via the bank’s internal network. Once installed, the malware begins collecting card data from unsuspecting users and from data sniffed or surreptitiously captured off of the bank’s internal network.

Criminals then gain access to a compromised machine by inserting a “credit card” modified to include special codes which activate the virus. With one of these cards inserted, the criminal enters a pin and gain access to the viruses main menu. From there, the criminal can activate up to 40 commands, including:

1. Dispense money — 40 notes from the specified cassette;

  1. Print collected card details;
  2. Self delete;
  3. Debug mode;
  4. Update (the updated malware code is embedded on the card).

According to one report, the criminals can download the stolen data onto a chip installed on the credit card. Criminals can leave the malware installed for any period of time, and come to collect the data at their convenience.

The attack was spotted by incident response professionals at Kaspersky when they observed that a bank client’s network had been infected, but that a theft had not occurred. By following the forensic trail left by the hackers, they were able to identify the malware. Malware samples for this virus have been identified on VirusTotal coming from UAE, France, USA, Russia, Macao, Chine, Philippines, Spain, Germany, Georgia, Poland, Brazil, and the Czech Republic.

While standard anti-malware practices should assist in mitigating this attack (running periodic virus checks, segregating ATMs from main networks, etc) this attack is also interesting as the data on the “credit card” used to access the malware is now known. With these additional data points, banks and law enforcement may be able to alert when a card has been used on their network and monitor the behavior of anyone in possession of such a card.

The magnetic strip “Track 2” data is as follows:

******446987512*=********************
 ******548965875*=********************
 ******487470138*=********************
 ******487470139*=********************
 ******000000000*=********************
 ******602207482*=********************
 ******518134828*=********************
 ******650680551*=********************
 ******466513969*=********************

The hash files associated with virus are as follows:

F19B2E94DDFCC7BCEE9C2065EBEAA66C
 3c434d7b73be228dfa4fb3f9367910d3
 a67d3a0974f0941f1860cb81ebc4c37c
 D0431E71EBE8A09F02BB858A0B9B80380
 35484d750f13e763eae758a5f243133
 e563e3113918a59745e98e2a425b4e81
 a7441033925c390ddfc360b545750ff4

The filenames associated with this virus are as follows:

C:\Windows\Temp\attrib1
 C:\Windows\Temp\attrib4
 C:\Windows\Temp\mk32
 C:\Windows\Temp:attrib1
 C:\Windows\Temp:attrib4
 C:\Windows\Temp:mk32
 C:\Windows\Temp:opt
 C:\Windows\System32\netmgr.dll

Source

https://www.virustotal.com/en/file/5ab6358e1886655257c437ebad71b98a6575313b2f9327359661aac5d450c45a/analysis/ 
 https://www.virustotal.com/en/file/4941331c64e0389d5ec966122ef71a99d8f9830f13e9afa758e03275f896c2eb/analysis/ 
 http://www.kaspersky.com/about/news/virus/2016/ATM-is-a-New-Skimmer
 http://www.oreans.com/themida.php
 http://www.kaspersky.com/about/news/virus/2016/ATM-is-a-New-Skimmer
 https://securelist.com/blog/research/74772/atm-infector/

Tags

Skimer

Skimmers

Bank

Scam
 Virus
 ATM

Cyber Security

Hoplite Industries