ATM Malware

ATM Malware on the Rise:
A Comprehensive Overview of the Digital ATM Threat
Trend Micro Forward-Looking Threat Research (FTR) Team

and Europols European Cybercrime Center (EC3)
A TrendLabsSM Research Paper

Foreword
After presenting the first Guide on ATM Logical Attacks prepared
jointly with the European ATM Security Team, I am pleased to
present this research paper developed through the joint efforts
of Trend Micro and Europol.
With more than 3 million ATMs across the globe and the total
number of cash withdrawals averaging around 8.6 billion per
year, the report highlights the increasing opportunities to commit
crimes targeting these critical financial services using malware
injection. Since 2013, ATM malware attacks have significantly
increased and have become more geographically widespread.
Logical attacks on ATMs are now recognised as a developing

threat by Industry and Law Enforcement and the European
Cybercrime Centre at Europol has already assisted several
national police forces in successful investigations of this
emerging crime type.
This report covers the key developments and emerging

Steven Wilson
threats and offers a perspective from both IT security and
Head of Europols
law enforcement. European Cybercrime Center (EC3)
The report highlights the increasing sophistication of

cybercriminals in terms of how attacks are planned and
orchestrated, using both new methods and techniques in
conjunction with well-known attack vectors.
The report lists a number of key recommendations to address

this growing crime trend both in preventative and investigative
areas and can serve as a valuable reference document to co-
ordinate activities to tackle organised crimes expansion into this
area of criminality.
I would like to recognise the work of Trend Micro who devoted

substantial resources to prepare this report and look forward
to Europols continued cooperation with them to tackle
cyber criminality.
On the heels of recent reported Automated Teller Machines
(ATM) malware incidents, Trend Micro and Europols European
Cybercrime Centre have recognized the concerns that ATM
malware poses. Our report contains a thorough background of
existing ATM malware types, analyzes cases of ATM attacks
from even the past five years and recommendations for a
defensive strategy. In fact the advent of ATM malware shouldnt
be a surprise but a vivid reminder that criminal groups are
constantly shifting their attack vectors. ATM malware is just
another example of this.
I am proud to present this comprehensive report that offers

an insightful perspective on the ATM malware threat from the
security and the law enforcement end of things. Together with
our partners at Europols European Cybercrime Center we
strive to fight digital crime. With this joint reference document,
we hope to provide detailed information on the malware
attack routes that can help authorities dismantle cybercrime
Raimund Genes operations responsible for considerable financial loss across
Chief Technology Officer the globe. Concerned organizations should devote time and
of Trend Micro resources to adapt their security strategies to this growing and
constantly morphing digital threat.
Lastly, I cannot fail to mention the dedicated and valuable role

of Trend Micros Forward-Looking Threat Research (FTR) Team
in this report. As security experts, threat intelligence is the
coin of our realm. I hope that the readers will find this report
an informative and functional point of reference for reinforcing
better cybersecurity.
Written by:
David Sancho and Numaan Huq Contents
of Trend Micro Forward-Looking
Threat Research (FTR) Team, and
Massimiliano Michenzi of Europols 6
European Cybercrime Center
EUROPOL DISCLAIMER
The Emerging
European Police Office, 2016. All rights reserved. ATM Threat
Reproduction in any forms or by any means is allowed only
with the prior permission of Europol.
More information on Europol is available on the Internet:

Website: www.europol.europa.eu
Facebook: www.facebook.com/Europol 14
Twitter: @Europol
YouTube: www.youtube/EUROPOLtube
Attack Routes and
Malware Types
TREND MICRO LEGAL DISCLAIMER
The information provided herein is for general information
and educational purposes only. It is not intended and
should not be construed to constitute legal advice. The
24
information contained herein may not be applicable to all
situations and may not reflect the most current situation.
Nothing contained herein should be relied on or acted
upon without the benefit of legal advice based on the
particular facts and circumstances presented and nothing
Threat Defense -
herein should be construed otherwise. Trend Micro
reserves the right to modify the contents of this document
A Layered Defensive
at any time without prior notice. Approach
Translations of any material into other languages are
intended solely as a convenience. Translation accuracy
is not guaranteed nor implied. If any questions arise
related to the accuracy of a translation, please refer to
the original language official version of the document. Any
discrepancies or differences created in the translation are
29
not binding and have no legal effect for compliance or
enforcement purposes.
Appendix I
Although Trend Micro uses reasonable efforts to include
accurate and up-to-date information herein, Trend Micro
makes no warranties or representations of any kind as
77
to its accuracy, currency, or completeness. You agree
that access to and use of and reliance on this document
and the content thereof is at your own risk. Trend Micro
disclaims all warranties of any kind, express or implied.
Neither Trend Micro nor any party involved in creating,
Appendix II
producing, or delivering this document shall be liable
for any consequence, loss, or damage, including direct,
indirect, special, consequential, loss of business profits,
or special damages, whatsoever arising out of access to,
use of, or inability to use, or in connection with the use of
this document, or any errors or omissions in the content
thereof. Use of this information constitutes acceptance for
use in an as is condition.
One would think that the risks of being
victimized by credit card scams are
reduced by avoiding online payments
and using cash instead. However, what
happens when withdrawing cash from
Automated Teller Machines (ATM)
becomes just as problematic? Criminals
have been moving toward new modes
of stealing moneymost recently by
targeting ATMs through the use of
specially designed malware. This paper
presents a comprehensive overview of
the ATM malware threat, as well as the
specific types of ATM malware currently
in circulation.
The aim is to increase awareness by

providing more information about this
lesser known threat of ATM malware.
Though we would like to stress that, at
the moment, there is no need for users
to be unduly concerned when using
ATMs as such attacks are still rare. We
will also be discussing the required
safeguards that need to be employed
by banks to secure ATMs and protect
customers and businesses.
The first section explores the background

of these new attack types, what an
attacker needs to know to work his
way into an ATM, the set-up of these
machines, and the basic attack vectors.
The second section describes the major
malware families that were recently and
the impact they have made in victim
countries. The third section discusses
appropriate defense strategies to
counter this problem. The Appendix
sections at the end present a detailed
technical analysis of each type of
malware described in this paper.
The Emerging ATM Threat
The earliest ATMs featured green-tinted, monochromatic screens that resembled UNIX terminals.
Commercial banks started to switch to more modern full-colored ATMs in the 90s, and back then, most
security professionals were surprised to know that ATMs had Microsoft Windows as their operating
system (OS). With Microsofts dubious security record, 15 years ago, it was expected that cash-dispensing
machines at that time will be attacked on a massive scale. However, that didnt happen as mass attacks
on ATMs are only taking place now.
What Caused this Shift?

When we think about reasons for the shift from physical attacks to virtual attacks through malware, there
are a few things that come to mind. Perhaps the level of sophistication of cybercriminals is up to scratch
for high-level attacks on all sorts of devicesfrom Point-Of-Sale (POS) terminals to smartphones.
Maybe the fact that an obsolete OS such as Windows XP has reached its end of life, and wont receive
any security updates anymore. Regretfully, this ancient version of Windows is still the OS extensively used
in a lot of ATMs today.
What about the fact that most ATM vendors have made programmers lives easier by creating middleware
that provide APIs to interact with the machines special hardware regardless of model/make?
The shift is most likely caused by a confluence of all these factors, enabling criminal groups to progress
from purely physical attacks to the next logical form of attack: ATM malware.
The same thing can also be done through keylogging software, an old enemy from the PC world. It is
no surprise that crooks are using malware more often these days to attack ATMs. Thats not to say that
explosives and physical skimmers arent used anymore for they still account for majority of attacks seen
in the field.
6 | ATM Malware on the Rise: A Comprehensive Overview of the Digital ATM Threat
Total reported incidents Total reported losses
14K 200M
7K 100M
0 0
H1 2011 H1 2012 H1 2013 H1 2014 H1 2015 H1 2011 H1 2012 H1 2013 H1 2014 H1 2015
Fraud attacks Physical attacks
Figure 1. European ATM attack statistics from 2011 to 20151
The growing trend of software attacks probably means that the most sophisticated criminal groups have
identified a new and easy way of stealing money from ATMs thats less risky. This tendency will only grow
in the near future. The same thing goes for virtual skimming attacks, which have the potential to avoid
raising any alarms which will allow the attackers more time to steal card data than a regular physical
skimming attack.
Although we dont have any ATM malware attack statistics for the U.S., the European ATM Security Team
states that International losses were reported in 53 countries and territories outside of the Single Euro
Payments Area (SEPA) and in 10 within SEPA. The top three locations where such losses were reported
are the United States, Indonesia, and the Philippines.2
We can assume that the United States is not that far behind the rest of the world on ATM malware attack
fraud, but we cannot confirm this since there are no statistics available. If the figures are similar to the
other kinds of attacks, the impact of ATM malware fraud on the U.S. is probably higher than in Europe.
From whatever side of the fence you are looking, one thing is certain: ATM malware attacks are here to
stay. They are subtler, cleaner, and have fewer risks on the perpetrators.
This paper will provide an overview of ATM malware strategies, how attackers go about performing their
attacks, and the different malware families that have been observed in the wild. Hopefully this will properly
frame the kinds of problems they pose to all parties involved and also inform users about this new and
rising trend in malicious software.
Note that the incidence of ATM malware attacks is not particularly high for regular ATM users. We are not
suggesting that we should change our normal behavior when withdrawing cash from an ATM or even that
were likely to get scammed or attacked. Law enforcement agencies, ATM manufacturers, commercial
banks, and financial institutions are doing a good job at preventing and lessening the impact of ATM
malware. The attacks we describe in this paper are rare enough that an ATM user need not be concerned
about them.
ATM Infrastructure How to Move Around an ATM

An overly simplistic yet accurate description of an ATM is this: a computer system connected to a secure
vault encased inside a housing unit. ATMs are complex devices with interconnected peripherals that
provide bank customers with a range of banking services such as cash withdrawal and deposit, money
transfers, bill payments, etc. It is important to understand the physical design of an ATM in order to
understand how ATM malware work. The primary goal of an ATM malware is to connect to, and control,
peripheral devices inside the ATM in order to withdraw stored cash and/or collect information from bank
customers. ATMs come in all shapes and sizes, but their internals have a similar architectural layout. The
following diagram illustrates some of the basic elements of an ATM:
6
10
9
7
1
2
3 4
8
1. CPU 6. Function keys
2. Card reader 7. Receipt printer
3. PIN pad 8. Vault
4. Secure cryptoprocessor 9. Housing
5. Screen 10. Security camera
Figure 2. Components of an ATM
ATMs have the following components:
1. Central Processing Unit (CPU): Controls the user interface, manages communications, manages
peripheral devices, and processes transactions.
2. Card reader: Magnetic stripe card or chip card reader accepts as input both debit and credit cards.
3. PIN pad: An Encrypting PIN Pad (EPP) that encrypts identifiers such as the PIN entered on the
keypad.
4. Secure cryptoprocessor: Encrypts and decrypts secure communications. Transactions are encrypted
using AES or 3DES encryption algorithms.
5. Screen: Displays the graphical user interface (GUI) the customer uses to interact with the ATM. Some
of the newer ATMs have touchscreen displays with virtual function keys.
6. Function keys: Mounted beside the display or touchscreen. They provide access to menu items,
navigation, and commonly used functionality.
7. Receipt printer: Prints records of transactions. Some ATMs also support passbook printing.
8. Vault: The most important component of an ATM and is constructed from high-tensile strength steel.
It has a cash-dispensing mechanism, a deposit mechanism with check processor and bulk note
acceptor, journaling system to track cash in/outflows, cash cartridges/cassettes for storing cash, and
a locking mechanism that secures the vault.
9. Inner housing: A customized machine steel case. The outer housing is made of very hard thermoformed
Acrylonitrile Butadiene Styrene (ABS) plastic and is decorated with the banks logo.
10. Security equipment: The ATM might also have a surveillance camera, security sensors (magnetic,
thermal, seismic, and gas), speakers, and indicator lights.
ATMs have moved from using custom hardware to off-the-shelf PC hardware, such as USB, Ethernet and
IP communications, Windows OS, etc. The decision to switch architecture was motivated by a lower cost
of ownership: from cheaper components to better support and interoperability with commercial software.
A majority of ATMs installed worldwide still run either Windows XP or Windows XP Embedded. Some of
the older ATMs run Windows NT, Windows CE or Windows 2000. Microsoft support for Windows XP
ended on April 8, 2014. Extended support for Windows XP Embedded ended on January 12, 2016, and
extended support for Windows Embedded Standard 2009 is scheduled to end on January 8, 2019. This
means that there are hundreds of thousands, if not more, ATMs running an OS that no longer receive
software patches for new vulnerabilities, or will soon have security patch updates discontinued. Application
programs running on ATMs use eXtensions for Financial Services (XFS)middleware for communications
with the peripheral devices. XFS and the impact of middleware will be discussed in greater detail later.
ATMs are connected to the network via ADSL or dial-up modem over a telephone line or direct leased line.
Low-level network communication protocols used by ATMs include: SNA over SDLC, TC500 over Async,
X.25, and TCP/ IP over Ethernet.3 ATMs are connected to the interbank networks (NYCE, PULSE, PLUS,
Cirrus, AFFN, Interac, STAR, LINK, MegaLink, and BancNet) and communicate via ISO 8583: Financial
transaction card originated messages Interchange message specifications.4,5 ISO 8583 has no routing
information and is used together with a TPDU header.6 Transactions are encrypted using either AES or
3DES encryption. In addition to that, all communications between the ATM and the interbank network
may also be encrypted via SSL for additional security.
Parallels between a PC and an ATM

If we think of a modern ATM as a Microsoft Windows PC with a safe box full of money attached to it and
controlled by software, we can see how it becomes a juicy target for malware creators. Nevertheless, there
are important differences between a normal desktop PC and an ATM. There are two main differences:
1. The first and most important divergence between a PC and an ATM is that these special machines
cant be accessed through normal means. Other than a magnetic card reader and a keypad, there
is no other easy way to interact with the machines internal hardware. This implies that any infection
would need to use either the card reader or a way to access the internal main board to connect an
external device.
Even though there have been successful attempts in using the magnetic card reader to infect ATMs,7
this is so unusual that it doesnt even bear further mention. The most common infection method
requires the criminal to open the physical metal casing and access internal hardware ports. The USB
port is the most utilized, but older machines that have a CD/DVD reader have been abused in exactly
the same way.
2. The second major difference between ATMs and desktop machines is with respect to network
connectivity. ATMs are not usually connected directly to the banks network and certainly not to the
Internet. The most common setup is to join the ATMs network with the banks branch through a
Virtual Private Network (VPN). Some stand-alone ATMs in remote locations are instead attached to
the banks network by means of a satellite connection. This can be a problem if the criminals manage
to take over the network infrastructure or if it is not configured securely.
Middleware The Key to the Safe

The XFS middleware provide a client-server architecture for financial applications on the Microsoft
Windows platform, especially peripheral devices such as ATMs which are unique to the financial industry.8
XFS is commonly installed in ATMs and is widely supported by ATM vendors and financial service
providers. The XFS specification defines a software interface that consists of:
A set of Application Programming Interfaces (API)
A corresponding set of Service Provider Interfaces (SPI)
Supporting services for the handling/processing of API and SPI
XFS provide user applications an access interface to the connected peripheral devices and financial
services running inside the ATM. It provides access to peripheral devices that are unique to financial
institutions. Since these devices (PIN pads, magnetic card readers, receipt printers and cash delivery
mechanisms) are complex, difficult to manage, and proprietary, the use of XFS offers a number of benefits
for financial institutions and their service providers.
An application that uses the XFS APIs to communicate with a particular service provider (interface for
peripherals e.g. PIN pad, cash dispenser, receipt printer, etc. or interface for services e.g. interbank
network) can work with a service provider of another XFS-conforming vendor without requiring code
modifications. This is the same principle that allows a programmer to use the Windows API to open a file
without worrying about what hard disk it uses.
This is the main reason why ATM malware writers use the XFS APIs to compromise ATMs. They can easily
communicate with the connected peripheral devices, and the malware code becomes portable i.e., it will
run on ATMs manufactured by different vendors without needing code modifications.
The following diagram illustrates the XFS system architecture:
XFS Manager
Figure 3. XFS system architecture
Applications communicate with service providers via the XFS Manager using a set of APIs. The XFS
Manager maps the specified API to its corresponding SPI. The SPI talks to the peripheral device then
the user indirectly invokes the SPIs using the vendor-neutral APIs via the XFS Manager. The vendor-
neutral API abstracts the user application from device-specific implementations and calls. This is what
enables the user application to run on ATMs from different manufacturers without code modification.
The developers of financial services and manufacturers of financial peripherals are responsible for the
development and distribution of service providers for their services and devices.
The XFS API has the following general set of functions:9
Basic functions such as StartUp/CleanUp, Open/Close, Lock/Unlock, and Execute, that are
common to all XFS device/service classes.
Administration functions such as device initialization, reset, suspend, or resume. It is also used for
managing devices and services.
Specific commands used to request information about a service/device and to initiate service/
device specific functions. These are sent to devices and services as parameters for the GetInfo and
Execute basic functions.
The SPI is kept as similar as possible to the API. Some commands are processed exclusively by the XFS
Manager, and so are not in the SPI.
The Masterplan Infect and Conquer

There are two main objectives that a malware writer may try to achieve by infecting an ATM box:
The first objective is emptying the safe of cash. This is colloquially known as jackpotting the machine
and possibly the most obvious goal of this type of malware.
The second objective is logging payment card data while the machine is being used by clients to
withdraw funds. This is like a virtual skimming device.
Both objectives are compatible and there are malware that can do both. As mentioned above, a successful
attack would require either physical access to the ATMs mainboard or a way to access the banks internal
network. In case of infection through the network, an attacker would also need additional access to the
ATMs VPN.
Either way, there are two possibilities:
The attacker has insider knowledge or help (to find out how to access the network or to open the
machines hardware protection).
In the case of physical hardware access, the machines internals are accessible by means of commonly
available generic physical keys. This is not unheard of; there are plenty of hardware parts in public
places that use generic protection locks merely to deter easy access to passersby. These kinds of
locks are usually found protecting those devices that are not critical enough to warrant the use of
real customized security. Obviously, in the ATMs case, the deployment of generic security locks is
a gross underestimation of the risks of allowing easy access to the machines internal hardware to
determined individuals.
Once the criminal has physical access to the USB port or CD-DVD drive, he can insert the device carrying
the malware, restart the computer and boot with it. At that point, the attacker has full control of the
machine. The next step usually involves mounting the ATMs internal operating system file system,
copying the malware into it, and modifying the OS so that it executes the malware on a regular boot.
The infection is effective after the machine reboots, giving the installed malware access to the special
hardware, such as the keypad, the card reader, and the different cassettes that hold the banknotes of
each of the denominations. The whole process should take no more than 10 minutes.
The malware attacks we describe in this paper are different from blackbox attacks. In blackbox attacks,
the crooks detach the physical cash dispenser from the ATM, connect it to an external computer, and
issue dispensing commands. In both attacks, the criminal accesses the ATMs mainboard and physically
manipulates it. The big difference is that there is no malware involved and therefore the defense strategies
are also completely different.
Figure 4. Old-school skimming attacks through physical means.10
Attack Routes and
Malware Types
The Malware Families
Skimer
Skimer was the first known piece of malware to target ATMs. It was first discussed in a SophosLabs blog
post in March 2009 and was initially thought to be a credit card skimming malware targeting ATMs.11
Skimer may have existed as early as July 2007 and was originally found targeting ATMs in Russia and
Ukraine.12 Skimer exclusively targets ATMs manufactured by Diebold, who confirmed that there was no
network-level security compromise in Skimer infection cases. This means that the malware was manually
installed on the ATMs.13
Recent ATM malware families directly or indirectly use the XFS middleware to access ATM peripheral
devices such as the cash dispenser, PIN pad, receipt printer, etc. Skimer, on the other hand, uses a
Diebold custom middleware, similar in functionality to XFS, to access the ATMs peripherals. It is unclear
whether only older Diebold ATMs run the custom middleware or all Diebold ATMs run it. Also, it is unclear
whether the Diebold custom middleware interfaces with XFS. Two variants of Skimer were found in the
wild. Skimer v2009 reads user input from the PIN pad, dispenses cash, and collects transaction data.
Skimer v2011 is a scaled down version of v2009 that only does data collection. Both Skimer variants are
still actively being used by criminals today.
Key points:
Skimer is likely installed manually by accessing the ATMs internal hardware via USB or
bootable CD.
Two variants of Skimer have been discovered in the wild: v2009 and v2011.
Skimer v2009 reads user input from the PIN pad, dispenses cash, and collects transaction
data. It also requires an authorization code before dispensing cash. The operator has to obtain
this code from the criminal group controlling Skimer.
Skimer v2011 is a scaled down version of Skimer v2009 that only collects data. It writes the
collected data to log files and encrypts the files using RC4 encryption. The operators use a
master card to authenticate the malware. They also use the same card to retrieve the stolen
credit card information.
Both variants of Skimer are still being used by criminals.
Ploutus
Ploutus exclusively targets ATMs manufactured by NCR. Information security firm SafenSoft first disclosed
news about Ploutus existence back in September 2013 when the malware was discovered attacking
ATMs in Mexico.14
A month after it was first discovered, a more advanced variant of Ploutus with a modularized architecture15
was discovered. The new variantdubbed Ploutus.Bmakes it more difficult to discover the infection, as
there are now three modules to identify and detect as opposed to one. This redesign also extended the
malwares functionality. In recent reported cases of infection, a mobile phone had been physically installed
inside the ATMs housing. This device received cash withdrawal commands via SMS and then forwarded
them to Ploutus.B, thereby minimizing direct physical interaction between the operator and the ATM.
The Ploutus malware was created by developer(s) with expert knowledge and experience in developing
software for ATMs manufactured by NCR.
Key points:
The Spanish language strings found in the original Ploutus malware were translated into
English in the second version. Some observers are suggesting that this is a strong indication
that Ploutus.B is also used in other countries.
The Ploutus malware was created by developer(s) with expert knowledge and experience in
developing software for ATMs manufactured by NCR.
Ploutus initial infection was supposedly done using a bootable CD-ROM. It is highly probable
that the lock of the ATM housing was either picked or opened with a key to access the CPU
and load a CD-ROM containing the Ploutus malware.
The original Ploutus malware accepts an 8-digit activation code. This activation code is
required to start interacting with Ploutus to withdraw cash. This is a control feature. The low-
level operator withdrawing the cash from the ATM needs to call the criminal group to receive
the activation ID and proceed with cash withdrawal.
Ploutus.B accepts a 16-digit code and when an incorrect activation code is input, the malware
will sleep for 500 minutesrendering repeated attempts to activate the malware useless. This
is yet another built-in security control.
When the correct activation code is input Ploutus.B becomes active for 24 hours. The low-level
operator can withdraw cash only during this 24-hour period before requiring a new activation
code. Ploutus prints an error message and will not dispense cash after that period.
Ploutus can read user input from both the ATMs PIN pad and a connected external keyboard.
On the other hand, Ploutus.B can read user input only from the ATMs PIN pad.
Ploutus.B does not have the option to specify the number of bills to dispense. The malware
checks the number of bills in each cassette and dispenses all the cash from the first cassette
with 40 or more bills and repeats the process every time it receives a new dispense request.
Padpin-Tyupkin
Padpin was first discovered in May 2014 by Symantec. This malware family is responsible for the theft of
millions of dollars from ATMs across certain parts of Europe and South East Asia.16,17 An updated version
was discovered in October 2014 by Kaspersky Labs and was renamed Tyupkin.18 Padpin and Tyupkin are
based on the same code base19 confirmed through code analysis and also by the ATM manufacturer NCR.
Key points:
Padpin targets NCR-manufactured ATMs with McAfee Solidcore installed on the machine.
Padpin is installed on the ATMs using a bootable CD-ROM. The most probable scenario
involves picking the ATM housings lock and infecting the system through a bootable CD.
Padpin hooks the ATMs PIN pad and allows control of the malware via the PIN pad.
By default, Padpin is set to be active between 1 a.m. and 5 a.m. from Sunday to Monday. This
indicates that the criminal group operates at night to avoid raising suspicion.
Padpin allows cash to be withdrawn from the ATMs. It uses session keys to ensure low-level
operators rely on the main criminal group to withdraw funds.
GreenDispenser
GreenDispenser is an ATM malware family discovered by Proofpoint in September 2015 and found to be
victimizing ATMs in Mexico.20 GreenDispenser malware samples were first uploaded to VirusTotal back
in June 2015 from India and Mexico. Based on available evidence, there is no connection between these
two countries and GreenDispenser. One could theorize that the criminals have outsourced the malwares
development to Indian programmers but there is no further evidence pointing to it.
Key points:
GreenDispenser will only run if the date is between January 1 and August 31, 2015. The
samples we analyzed were created for a limited campaign period.
ATMs infected with GreenDispenser display an error screen with a message: We regret this
ATM is temporarily out of service. This renders the ATM unusable to regular users.
GreenDispenser does not restrict itself to targeting ATM machines from a single manufacturer
only. Instead, the malware is designed to be able to compromise any ATM that uses the XFS
middleware.
GreenDispenser employs a two-stage authentication process before the operator can access
the cash dispenser menu.
The first authentication key is used to disable the error screen. Once the error window is
disabled, GreenDispenser displays a new screen with a QR code and menu options: Enter
second key. Press 9 to pause, 8 to permanently delete.
The second authentication key is dynamically generated using Windows built-in cryptographic
functions. The QR code displays the encrypted second key.
The operator scans the QR code and either uses a custom app to decrypt the key or contacts
the main criminal group for help with decryption. The decrypted second key is entered on the
PIN pad to access the cash dispenser menu.
After each dispensing operation, an updated count shows how many bills remain inside the
ATM. GreenDispenser assumes there is only a single type of currency stored in the ATM.
GreenDispenser has an elaborate uninstall procedure to remove all traces of an infection. After
GreenDispenser has been successfully removed from the system, the ATM returns to its regular
operation.
GreenDispenser was probably installed manually in the ATM either by an insider or by members
of the criminal group.
Suceful
Suceful is an ATM malware prototyping tool that was first blogged about in September 2015 by FireEye.21
Two Suceful samples were uploaded to VirusTotal on August 28, 2015; one sample was uploaded from
France and the other from Russia. The origin country for VirusTotal submissions can be manipulated using
a VPN service, and thus the actual origins of the tool remain inconclusive.
Based on reports about ATM malware families like Tyupkin-Padpin and Ploutus, Suceful was assumed
to be a new ATM malware family. After careful code analysis, we have concluded that Suceful is really
a prototyping tool instead of an actual malware that would be deployed in ATMs. The fact that there
have been no cases of Suceful infections discovered in the wild, supports our conclusion above. It is
highly plausible that Suceful is being actively used in the development of ATM malware samples that are
currently undetected and in-the-wild.
Key points:
The GUI shows Suceful is targeting ATMs manufactured by Diebold and NCR. The code reveals
no evidence that NCR ATMs were being targeted.
NCR ATMs are possibly a future target for the Suceful group, which may be the reason why
button labels for NCR were included in the GUI.
Suceful can read track data from inserted payment cards.
Suceful can read user input from the ATMs PIN pad.
Suceful can control operations of the ATMs door sensors, alarm sensors, generic sensors,
key switch sensors, lamp/sign indicators, auxiliary indicators, and enhanced audio controls
physically attached to the machine.
Modifying Sensors and Indicators Unit (SIU) ports suggests physical compromise of the ATM
is a likely option.
There is no user access control mechanism in Suceful. This is a common feature of ATM
malware samples.
Cash-dispensing functions were not tested in Suceful. The Suceful group may only be targeting
payment card data.
Suceful group had access to leaked Diebold Agilis XFS manuals.
Neopocket
NeoPocket is an information-stealing malware that targets ATMs manufactured by Diebold. S21sec
discovered NeoPocket in April 2014.22 Unlike the majority of ATM malware, NeoPocket does not steal
cash from the ATM as it focuses on data theft only. The malware steals ATM transaction data using a
Man-in-the-Middle (MitM) attack and keylogs user input from specific application windows. This stolen
data can be sold in Deep Web markets, used to create counterfeit payment cards, and used for fraudulent
fund transfers out of victims accounts. Because no cash is stolen from the ATM, the compromise tends to
remain undetected for prolonged periods and thus allows the criminal group behind NeoPocket to collect
large amounts of sensitive data.
Key points:
Expert knowledge of Diebold Agilis is mandatory to understand how the system is set up to
successfully carry out the MitM attack.
Because no cash is stolen from the ATM, the compromise tends to remain undetected for prolonged
periods and allow the criminals behind NeoPocket to collect large amounts of sensitive data.
NeoPocket will not execute past May 20, 2014. After that date, the malware will terminate its
process but not uninstall itself.
Similar to other ATM malware, NeoPocket requires an installation key. This feature enables the
attackers to track and control the infected ATMs and prevents a rogue low-level operator from
installing the malware on random ATMs to steal the collected transaction data.
NeoPocket is manually installed on the ATM. The operator uses a keyboard to input the installation
key in the pop-up installation window. NeoPocket does not communicate with the ATMs peripheral
devices and does not have access to the ATMs PIN pad.
NeoPocket logs user input from windows with titles: Enter the A key, Escriba la clave A, etc. No
information is available about what data is input in these windows and how it is input (keyboard
or PIN pad). It is interesting to note that NeoPocket looks for window titles in both English and
Spanish.
NeoPocket has functionality to terminate the SMC.exe process, which is the Symantec Endpoint
Protection software. We believe that the Neopocket targets certain financial institutions in Latin
America. The use of a Spanish verb such as ingresar is a clear sign that the threat comes from
Latin America as opposed to Spain. Additionally, S21sec confirmed privately to us that the country
where they found their sample is in that region.
Once operational, NeoPocket receives commands from a connected USB device. The malware
uses unconventional methods to receive user commands through this USB device.
The Perpetrators Who are Behind the Attacks?
The figure below lists the most important features of each malware type, laid out based on the attacks
described in the previous section.
Eastern
Europe
South
America
Skimer Ploutus Padpin

First found: 2009 First found: 2013 First found: 2014
Language: Delphi Language: .Net Language: .Net
Goal: Dispense/skim Goal: Dispense Goal: Dispense
Suceful Green Dispenser NeoPocket

First found: 2015 First found: 2015 First found: 2014
Language: Borland C++ Language: Visual C++ Language: VB
Goal: Prototyping tool Goal: Dispense Goal: Skim
Figure 5. Malware families and their geographical origins
A look at this map reveals a clear pattern. There are two older malware pieces stemming from South
America with Spanish-language strings. These strings are likely to have been written by the developers so
their South American origin is difficult to deny. From those two older threatsSkimer and Ploutusone
specifically targets NCR, while the other targets Diebold ATMs.
A theory starts shaping up: those two threats might come from the same or a similar source and could
have been created to establish comprehensive coverage of the ATM market (the third largest ATM vendor
is missing here but apparently it is not so common in this region). Remember that these threats surfaced
before XFS made it easier for ATM developers to share software so the criminals had to write platform-
specific code. The one variable that is missing is a version of Ploutus that can only skim, instead of
dispensing cash only. If it exists, such a malware has never been seen in the wild. By design, software
skimmers are not easy to spotunlike purely cash-dispensing malwareand they can be active for years
before a live sample is found.
The only variable left hanging is the fact that Skimer v2009 was first found in Russia and the Ukraine.
There is a clear link between v2009 and v2011 in terms of coding style and the way they go about
infecting the system and accessing ATM-specific hardware. It is most likely that the original code was
developed in Eastern Europe and was reused by the Latin American criminal group that evolved it into a
skimming-only attack.
GreenDispenser is a more recent piece of malware from the same region. This particular malware seems
to be a dispense-only version of Skimer and Plotus with multivendor support. Since Skimer and Ploutus
are still currently active, we can theorize that GreenDispenser belongs to a rival group orgiven the
accumulated knowledge the program seems to havean ex-member of the first criminal group, now
competing against them.
Then, we have Neopocket, a virtual skimming malware from Latin America. We cannot rightfully associate
Neopocket to any of the previous malware (Skimer/Ploutus/GreenDispenser), since this seems to be
much more targeted. Neopocket looks more like a custom-made operation against a specific bank with
the help of an insider, or perhaps the whole attack is an inside job. In any case, it looks like its completely
different from the others we have analyzed.
On the other side of the world, we have a second criminal group coming from Russia, or at least a Russian
speaking region. This Eastern European criminal outfit seems to be behind Padpin and is targeting first,
Russia and surrounding countries, and then moved on to other Western European countries. We have
recently seen how a Moldovan citizen was arrested after moving to the U.K. and victimizing 50+ ATMs in
and around the city of London.23 This gives credence to the existence of such a group, whose members
would be in charge of creating cells in different western countries. We have also heard from private sources
about isolated victimization of separate ATMs in tourist towns in Turkey with high Russian affluence. This
supports the fact that Eastern European criminal group members are behind Padpin.
How does Suceful fit into this model? It is possible that the same Eastern European criminal group
created this tool to test and debug the routines that would make it into the production-level malware,
either Padpin or some other undetected Trojan.
The next biggest incident we need to carefully analyze is the one that happened in Malaysia in 2014. There
are different theories around it and the two main ones being:
1. Some sources describe the attacks as coming from South America. The malware involved was also
described as being able to dispense 40 bills per batch.24 This is consistent with the characteristics of
Ploutus that originates from South America. Also, some reports note that the suspects captured on
the banks camera systems were described to have South-American looks.25
2. A different take is based on the findings of most AV vendors that attribute it to Padpin. Padpin would
link this incident to Eastern European criminals. There have also been media reports linking the same
person arrested in London with the attacks in Malaysia, since the same person was in that country on
the dates the attacks took place.26 We do not have official police reports for this incident, but based
on the technical facts we have, it seems most likely that the Malaysian attack was performed by a
criminal cell from Eastern Europe using Padpin. The theory of this Eastern European criminal group
victimizing foreign sites and holiday resorts is consistent with the picture we painted above.
2009 2009 September 2014

Skimer, the first malware of its Multiple ATM hacks (most likely
2010
kind, was first detected attributed to Padpin) happened
targeting ATMs in Russia and in Malaysia and are linked to the
Ukraine. It might have been 2011 Eastern European crime scene.
around since 2007.
2012
2013
October 2014 January 2016
A criminal group (most likely tied 2014 A criminal group was arrested
to the same group in Malaysia) in Romania for bank fraud
was arrested in London for 2015
(fraudulent bank withdrawals
hacking ATMs in Malaysia, UK, on ATMs via cloned cards,
Germany and Canada that utilizing Padpin) that amounted
2016
amounted to a total loss of 2M. to 13.5M.
Figure 6. Timeline of incidents involving ATM malware that cash out ATMs
Although we have not yet seen ATM malware being sold in the underground, we expect that there will at
some point be some interchange of malware, or at least techniques between different criminal groups. For
now, the reports are scattered and isolated to localized regions where the criminals perform short-lived
campaigns and quickly move on to some other place. In the case of the Eastern European criminal group
behind Padpin, we suspect that they are using different high-ranking group members to mobilize a cell,
move to a new territory, victimize a set of ATMs, and get out. This plan may possibly have been thwarted
or slowed down by the recent arrest of one of their members by the U.K. police.
On January 5, 2016 the Romanian law enforcement agency DIICOT arrested, what seems to be, a whole
criminal organization27 that utilized Padpin to victimize ATMs in the Romania-Moldavia region. This is yet
another example of the activities of these groups and the way they operate. Whether these criminals
created Padpin or they acquired it from other criminals remains unknown.
The way it looks, different criminal groups have already graduated from physical to virtual skimming via
malware thanks to the lack of security measures implemented by commercial banks worldwide. This is
common in Latin America and Eastern Europe, but these criminals are exporting the technique and have
started to victimize other countries.
Threat Defense
A Layered Defensive
Approach
In order to protect ATMs as best as possible, we recommend a layered defensive approach. This includes
working on five distinct lines of defense:
1. Physical access
2. Offline protection
3. Online protection
4. Additional measures
5. Industry recommendations
Covering these areas will go a long way toward stopping the criminals or at least deterring them from
pulling off successful attacks with unsophisticated or easy methods. By setting up protections, we try to
avoid becoming the low-hanging fruit in this threat space. Here are specific recommendations for each of
those protection layers:
Securing the Physical Access

Only authorized personnel should be allowed to carry out work on an ATM.
1. Ensure that authorized service providers carry accreditation documents and that there is a procedure
for ATM site personnel to authenticate their authorization to work on the ATM.
2. Usually, the top compartment (top box) of an ATM contains the PC. This area should be secured by
an intruder-alert alarm to prevent unauthorized opening, or the access lock to the top box should be
changed to avoid the usage of default master keys provided by the manufacturer.
3. Surveillance monitoring (in the form of security cameras) should be in place. These will be able to
detect and record suspicious activity around the ATM. If camera surveillance is already in use, videos
and images should not be stored on the ATM. Camera operations should never be interrupted by an
ATM reboot.
4. There should be adequate lighting in and around the ATM.
Offline protection
Logical attacks can be performed without using the ATM operating system.
BIOS Configuration
1. BIOS configuration editing should be password-protected.
2. BIOS password should be as complex as possible and should never be the vendors default password.
Every ATM should have a different BIOS password.
3. The BIOS should be set to boot only from the ATM hard drive.
4. The BIOS should be set to disallow boot from removable devices or CD/DVD drives.
5. The operating system should have a robust admin password that is regularly changed ideally after
every time the system is accessed by the maintenance staff. This password should be complex and
different from the BIOS password.
6. Ensure that AUTORUN is fully disabled.
Hard Disk Encryption

Hard disk encryption should be deployed to prevent unauthorized changes to the hard drive content.
Cash Dispenser Communication
1. To prevent unauthorized devices from sending commands to the cash dispenser, the initial
communication should require authentication at the cash dispenser (by physical access to the safe).
2. It should not be possible to circumvent the cash dispenser communications protection (either by
rolling back firmware or by replaying messages).
Online Protection
1. All network communication in and out of the ATM network should be authenticated and encrypted. The
recommendation is to use TLS 1.2 or a VPN, and by implementing MACing to provide cryptographic
authentication of sensitive messages.
2. In addition, a firewall within the ATM OS should drop all communication attempts from the outside
network to non-interesting TCP ports. All unrecognized protocols should be dropped as well,
regardless of destination port.
3. In the OS, unused services and applications should be stopped, disabled or, if possible, uninstalled.
4. Ensure that the application runs in a locked down account with minimum privileges and never with
admin rights.
5. Ensure that the use of unknown USB/CD/DVD devices is not allowed. If the hardware is present but
there is no use for it, either have it physically removed or blocked (like epoxy-filling USB ports, for
instance).
6. The OS should enforce strict separation of applications and that unauthorized services are prevented
from running. Additionally, establish a policy for secure software upgrades.
7. If the USB port or CD/DVD drives are needed at all, make sure that the AUTORUN feature of the OS
is disabled. If at all possible, disable these devices altogether.
8. We recommend the use of a whitelisting solution so that only the ATM application is able to run and
not any other new software that could potentially be installed.
Additional Measures
1. ATM installation. It is recommended to start with a clean installation of the ATMs software or perform
an antivirus check before the approved installation.
2. Secure software delivery. You should establish a clear policy for secure and regular software updates
for all software installed on the ATM.
3. Fraud monitoring. Deploy a responsive real-time fraud system. Ensure your fraud system identifies
suspicious patterns of behavior to stop fraud.
4. ATM monitoring. Make sure that effective ATM monitoring is in place and that every time an ATM
housing case is opened, this instance is logged centrally. Any related alerts of this nature should be
monitored, identified, and acted upon.
5. Cash refilling cycles. Consider filling the ATM with just enough cash to last a full refill cycle.
6. Penetration testing. Conduct a regular ethical hacking test and vulnerability scan on the ATM and its
network, including VPN and any other access (Wifi, satellite, etc.).
7. Look for abnormalities. Perform random tests during normal ATM maintenance and cash
replenishment, looking for things that may be out of the ordinarythis includes the ATMs dashboard
even inside the ATMs operating area.
8. Segregation of duties. Individual employees should not have full access to the ATM.
9. Proof to the host. The ATM is recommended to prove to the host that the ATM security can give the
same hash over the software in the ATM back to the host.
Industry Recommendations
1. The ATM has two distinct compartments: the PC and the safe. Each section should be accessible by
different maintenance employees and should require different customized sets of lock keys.
2. Each set of keys should not be easily accessed by anyone and, ideally, they should be specific for
each ATM. Ideally, the PC compartment should be made as secure as the safe box.
3. Implement BIOS passwords which should be changed after every time its accessed by maintenance
staff.
4. The hard drive of the ATM PC needs to be encrypted and checked for integrity to detect changes.
5. The initial hardware communication between the PC and the cash dispenser needs to be authorized
and encrypted. This is to prevent rogue hardware devices communicating with the cash dispenser.
6. All firmware running on any hardware devices on the ATM PC should not be susceptible to a version
downgrade or rollback. Firmware upgrades should require special authorization via encryption keys
or other secure means.
7. There has to be a clear policy on how and when the software in use is to be updated or upgraded.
Make sure the update process never shows vital information on-screen, like usernames, IPs, file
system paths, passwords, etc.
If current developments are any indication of what we will be using in the future, the trend in ATM security
seems to be biometric authentication. The possibility of using body-part scanning as a means of checking
your identity, instead of carrying a mere plastic card, can add a lot of security to ATMs. Some banks and
ATM manufacturers are already working on this28 and have the machines available for demo. This can be
a big change in how we approach ATM security in the future if adoption becomes significant in the coming
years.
Figure 7. Keypad and card reader hardware are replaced
in the new Diebold ATM model29
(shown at CES 2016 Las Vegas)
Appendix I
Skimer
There have been two variants of Skimer discovered in the wild. Skimer v2009 reads user input from the
PIN pad, dispenses cash, and collects transaction data. Skimer v2011 is a scaled-down version of v2009
which only collects data. Both variants of Skimer are still being used by criminals today.
v2009
The dropper installs Skimer with filename lsass.exe in the <WINDOWS> directory. The dropper manipulates
the Protected Storage service to point to the malicious lsass.exe in the <WINDOWS> directory instead
of the original lsass.exe in the <SYSTEM> directory. This means that Skimer remains persistent between
reboots. When the Uninstall command is sent to Skimer, it points to the Protected Storage service back
to the original lsass.exe. Skimers main function does the following:
Figure 8. Skimers main function
Skimer creates the files <WINDOWS>\trl2 and <WINDOWS>\kl. These are log files in which the malware
writes collected data. Next it injects itself into processes mu.exe and SpiService.exe. These are Diebold
Agilis 91x processes. Agilis is proprietary software and information about mu.exe and SpiService.exe
is not publicly available. Skimer attempts to load the function SQReceiveFromServer from the DLL file
sharedq.dll, which is another Agilis component. Once that function is loaded, the buffer is parsed for
tags HST, or TCS, and the matched contents are written to the log files. We speculate the function
SQReceiveFromServer is used for communicating with backend servers, and Skimer is attempting to
capture transaction metadata.
Although we have not been able to verify the trigger, the company Dr. Web30 suggests the existence
of a master card, which the program is able to detect whenever it is introduced in the card reader.
This procedure is supposed to start up the malwares graphical interface and malicious routines as
described below.
When a trigger with value 12593 is received (possibly coming from the ATMs card reader), Skimer enables
the user menu.
Figure 9. The Skimer user menu
Skimer accepts the following commands:
Option 1. Uninstall Skimer
Option 2. Print information about the ATM
Option 3. Delete the log files from the system
Option 4. Shutdown the ATM
Option 5. Test the receipt printer
Option 6. Print collected data via the receipt printer and encode with DES
Option 7. Display the secondary user menu
Option 8. Retrieve information about cash levels
Option 9. Copy collected data to master card
Skimer receives user command input directly from the PIN Pad. It makes the system call
DbdDevExecute(EPP4_ ENCODE_DECODE) to read user input from the Encrypted PIN Pad (EPP).
Figure 10. Read user input from EPP
When Option 2 is selected, Skimer prints out information about the ATM, which includes statistics on
transactions, cards, and keys.
Figure 11. Skimer prints out information about the ATM
When Option 8 is selected, Skimer looks for the Window with the name Diebold:OGuiFrame. This is the
ATMs software user interface. The Diebold:OGuiFrame interface is password protected and the operator
needs to enter the right password. This could either be a default password or the operator has insider
knowledge about the current password. Once past this password prompt, Skimer searches for child
windows: STATIC and EDIT. Skimers goal is to access the Supply Manager, which contains information
about current cash levels in the cash cassettes.
Figure 12: Retrieve cash levels information
To dispense cash from the ATM, the operator selects Option 7. This brings up a secondary user menu
after the operator enters an authorization code. This type of control mechanism is a common feature
found in ATM malware wherein an authorization code is required before the operator can withdraw cash
from the ATM. The operator will need to contact the main criminal group for the authorization code. This
ensures that the main criminal group retains control over cash dispensing from the infected ATMs and that
the operator doesnt go rogue and steal from the group. Once the correct authorization code is entered,
Skimer displays the following menu as a pop-up window:
1-4. Dispense cassette
9. Uninstall
0. Exit
The operator can choose to dispense cash from any of cassettes 1-4, Uninstall Skimer, or Exit.
Figure 13. The secondary user menu display
Skimer does not provide an option to specify how many bills to dispense. The operator can choose to
dispense cash from cassettes 14 and Skimer will dispense all stored bills in the selected cassette. The
malware dispenses cash by issuing the commands:
DbdDevExecute(AFD_PRESENT)
DbdDevExecute(AFD_DISPENCE)
DbdDevExecute(AFD_RESTORE)
The DbdDevExecute command is similar to the XFS command WFSExecute and AFD is assumed to be
the cash dispenser peripheral.
Figure 14. The display when cash is dispensed from the ATM
Skimer v2009 has continued to evolve over the years with the most recent sample discovered in 2014. The
basic operations remain the same but the malware installation procedure has changed and functionality
expanded. For a quick comparison, the samples from 2009 made the following system calls:
DbdDevExecute(EPP4_DISABLE_KEYBOARD_READ)
DbdDevExecute(EPP4_ENABLE_KEYBOARD_READ)
DbdDevExecute(EPP4_ENCODE_DECODE)
DbdDevExecute(MCRW_ACCEPT_INSERTION)
DbdDevExecute(MCRW_POWERON)
DbdDevExecute(RECEIPT_PRINTER_EJECT)
DbdDevExecute(RECEIPT_PRINTER_START_GDI)
In the most recent sample, the malware is a DLL file that is injected into a Diebold Agilis 91x process. It
makes the following systems calls:
DbdDevExecute(EPP4_COPY_KEY)
DbdDevExecute(EPP4_DELETE_KEY)
DbdDevExecute(EPP4_DISABLE_KEYBOARD_READ)
DbdDevExecute(EPP4_ENABLE_KEYBOARD_READ)
DbdDevExecute(EPP4_ENCODE_DECODE)
DbdDevExecute(EPP4_LOAD_KEY)
DbdDevExecute(MCRW_ACCEPT_INSERTION)
DbdDevExecute(MCRW_CHIP_IO)
DbdDevExecute(MCRW_IC_CONTACT_POSITION)
DbdDevExecute(MCRW_MCRW_Eject)
DbdDevExecute(MCRW_POWEROFF)
DbdDevExecute(MCRW_POWERON)
DbdDevExecute(RECEIPT_PRINTER_EJECT)
DbdDevExecute(RECEIPT_PRINTER_START_GDI)
DbdDevExecute(RESET)
The system calls DbdDevExecute(MCRW_CHIP_IO) and DbdDevExecute(IC_CONTACT_POSITION)

suggests that the latest Skimer v2009 supports Chip & PIN card operations. We believe that this malware
is a hybrid of the original v2009 and later v2011 variants. The installation procedure is similar to v2011 and
the functionality is the same as v2009 with a few new additions.
v2011
A new Skimer variant was submitted to TrendLabs back in June 2011.31,32 Skimer v2011 only collects data
as opposed to Skimer v2009, which reads user input from the PIN pad, dispenses cash, and collects
transaction data. The installation procedure for v2011 is also different. The malware is a DLL file that is
injected into a Diebold Agilis 91x process.
When first executed, the Installer drops the following files:
<ROOT>\Diebold\dll\DFCDrgr.dll
<SYSTEM>\servicerg.exe
If the installation is successful, the following message (in Spanish) is displayed in a pop-up window:
****** PROGRAMA INSTALADO CON EXITO! ******
If the installation fails then one of the following error messages is displayed in a pop-up window:
NO TIENE PRIVILEGIOS DEBE ENTRAR COMO ADMINISTRADOR! Error: 201

EL PROGRAMA YA SE ENCUENTRA INSTALADO! Error: 202
NO SE PUEDE INSTALAR EL PROGRAMA! Error: 203
NO TIENE PERMISOS DE ESCRITURA! Error: 204
These are common installation errors displayed in Spanish (lack of privileges, already installed, cannot be
installed, no write privileges).
If the installation is successful, the installer executes servicerg.exe and exits. Both servicerg.exe and
DFCDrgr.dll contain encrypted strings that were decrypted using a debugger. Servicerg.exe looks for
the files <ROOT>\Diebold\Dll\DFCDrgr.dll (malware) and <ROOT>\Diebold\Dll\DFCMsg.dll (most likely a
messaging DLL) and then it changes their file times to obscure the installation date.
Figure 15. Servicergr.exes main function
Next it calls SetTimer passing a parameter TimerFunc, which injects DFCDrgr.dll into process mu.exe.
This is a Diebold Agilis 91x process. Agilis is proprietary software and information about mu.exe is not
publicly available.
Figure 16. Injects code into process mu.exe
DFCDrgr.dll decrypts the file path strings:
<ROOT>\Documents and Settings\Diebold_ATM\Application Data\windows.sqb

<ROOT>\Documents and Settings\Diebold_ATM\Application Data\diebold.sqb
These are the log files into which the malware writes collected data. The data is encrypted with RC4 using
hardcoded keys.
Figure 17. DFCDrgr.dlls main routine
Skimer attempts to intercept SQSendToClient from the DLL file sharedq.dll, another Agilis component.
The memory buffer is parsed and the contents written to the log files. We speculate that function
SQSendToClient is used for communications with backend servers, and Skimer is attempting to capture
transaction metadata.
Figure 18. Skimer intercepts SQSendToClient from sharedq.dll
Skimer looks for a window with the name Diebold:OGuiFrame. This is the ATMs software user interface
and has transaction and cash information.
Figure 19. Capture data from Diebold:OGuiFrame
So why remove the cash-dispensing functionality from Skimer v2011? A simple answer might be for the
attackers to compromise transaction data, which include card numbers and PIN, that will allow them
to manufacture counterfeit cards and use these cards for unauthorized cash withdrawal or perform
fraudulent bank transfers.
Ploutus
The Ploutus malware is written in C# and compiled into a .NET binary. The Ploutus binaries are packed
with an aggressive packer called .NET Confuser 1.9 that provides anti-debugging, anti-dumping, and
anti-decompiling features together with code encryption. This packer can be bypassed using a memory
dumping tool such as MegaDumper.
All the malware files have similar version information with some variations in their internal names
such as: Ploutus.exe, PloutusService.exe, NCROWNED.exe, and ATMosphere.exe. On execution, the
Ploutus malware dynamically imports ATM-specific functions from the following DLL file: ncr.aptra.axfs.
activexfscontrols.dll. This is a proprietary NCR library that interfaces with XFS. A quick Internet search
reveals that detailed information about this DLL is readily available.
Ploutus initial infection was supposedly done using a bootable CD-ROM. It is highly probable that the
lock of the ATM housing was either picked or opened with a key to access the CPU and load a CD-ROM
containing the malware. As mentioned before, in some more recent cases of infection, the criminals also
attached a mobile phone to the ATM via a USB cable.
Ploutus.A
The Ploutus malware is a fairly large program with 267 functions spread across 18 different classes.
The malware is self-contained and performs key functions such as: installation, keyboard hooking, GUI,
command processing, and cash dispensing. The following call graph traces the code execution from
installation to successful cash withdrawal and is used to highlight the important parts of Ploutus.
Program.Main VdmManager.Init
Projectinstaller
(Constructor)
Instantiates
VdmManager
vdm_EntryRequested
Projectinstaller. ServiceP (Constructor)
InitializeComponent
VdmManager.Command
Installer invoked ServiceP.HookCallback
on program startup
Keyboard.Read VdmManager.DispenseThread
Keyboard.StartTheThread DispenseClass.Start
Keyboard.RealStart(int) DispenseClass.Dispenser_Taken
Keyboard.RealStart
(KeyEventArgs) DispenseClass.Start
Keyboard.ProcessCommand Keyboard.ProcessCommandGui NCR.APTRA.AXFS.XFSCash

DispenserClass.SyncDispense
NCR.APTRA.AXFS.XFSCash
Command.InitCommand Command.InitCommandGui DispenserClass.CloseSession
Figure 20. Ploutus operations
Note: The call graph focuses only on the key classes and functions
On first execution, the ProjectInstaller class calls the ProjectInstaller.InitializeComponent method to install
Ploutus as a service with name NCRDRVPS.
private void InitializeComponent()

{
Installer[]installerArray;
this.ServiceProcessInstallerP = new ServiceProcessInstaller();
this.ServiceInstallerP = new ServiceInstaller();
this.ServiceProcessInstallerP.Account = 2;
this.ServiceProcessInstallerP.Password = null;
this.ServiceProcessInstallerP.Username = null;
this.ServiceInstallerP.ServiceName = NCRDRVPS;
this.ServiceInstallerP.StartType = 2;
base.Installers.AddRange(new Installer [] { this.ServiceProcessInstallerP, this.ServiceInstallerP});
return;
}
Figure 21. Ploutus is installed as-a-service named NCRDRVPS
The Program class calls the Program.Main method, which instantiates the ServiceP class. The
ServiceP.HookCallback method dynamically imports hooking functions from user32.dll, such as
SetWindowsHookEx, and uses them to hook the keyboard inputs. Ploutus can read user input from both
the ATMs PIN pad and a connected external keyboard. This is an interesting feature as it allows the
low-level operators, withdrawing cash from the infected ATMs, to use either the PIN pad or an attached
keyboard to interact with Ploutus.
The Keyboard class handles the processing of the keyboard and PIN pad inputs. Ploutus accepts the
following commands directly from the ATM PIN pad:
1. The command 12340000 prints TEST KEYBOARD DATE: and the date and time. This is a test
function to check whether the malware is correctly receiving input from the ATM PIN pad.
2. The command 12343570 prints Receive Print ID. Function Command.InitCommand is called to
generate a random ATM ID (random numbers + time) on the screen. This is the number the operator
needs to provide to members of the criminal group for an activation ID to be produced. The activation
ID will allow the machine to proceed with the cash-dispensing routine. The ATM ID generation code
is created from random seeds based on the current time.
Label_001F:
time = DateTime.Now;
if (Data ! = 0xdf2)
{
goto Label_00FC;
}
Utils.UpdatedLog(Print ID);
random = new Random(&DateTime.Now.Millisecond);
str2 = &random.Next (0,10).ToString()+random.Next (0,10).ToString()+random.Next (0,10).ToString()+random.Next (0,10).ToString()
IniFile.IniWriteValue(Config,DATAA, str2);
IniFile.IniWriteValue(Config,DATAC, );
PrintScreen.Write(string.Concat(new object[]{ATM ID:, str2, DATE,(DateTime)DateTime.Now}),30);
return;
Figure 22. Command that prints Receive Print ID
3. The command 12343571 prints Receive Activate ID and then accepts an 8-digit activation code.
This activation code is required to start interacting with Ploutus to withdraw cash. This is a control
feature. The low-level operator withdrawing the cash from the ATM needs to call the criminal group to
receive the activation ID. The activation code is a function of the date and time.
Label_00FC:
if (Data ! = 0xdf3)
{
goto Label_0216;
}
if ((Parameter=Utils.AddCero(&CryptClass.CryptTrack(&time.Day, &time.Month, int.Parse(str)).ToString()))==null
{
goto Label_01F0;
}
if ((CryptClass.getMd5Hash(Parameter)!=iniFile.IniReadValue(Config,DATAC))==null)
{
goto Label_01CA;
}
Figure 23. The Receive Active ID command
4. The command 12343572 prints Receive Dispense ID and then accepts two digits, which is the
number of bills to dispense.
Label_0216:
if (Data ! = 0xdf4)
{
goto Label_034F;
}
MemoryData.Bill=int.Parse(Parameter);
str3 = Inifile.IniReadValue(Config, DATAB);
if (str3.Length < 1)
{
goto Label_0334;
}
span2=Date.TimeUtcNow - new DateTime(0x7B2, 1, 1, 0, 0,0);
num2=&span2.TotalSeconds;
if((double.Parse(str3)+86400.0) < = num2)
{
goto Label_0318;
}
Utils.UpdateLog(string.Concat(new object[]{DISPENSE START BILL:, (int) MemoryData.Bill, DATE:, (DateTime)DateTime.Now}));
PrintScreen.Write(string.Concat(new object[]{ATM:DISPENSE START BILL:, (int) MemoryData.Bill, DATE:,(DateTime)DateTime.Now}), 10)
MemoryData.CommandType = 1;
VdmManager.Init();
return;
Figure 24. The Receive Dispense ID command
When the correct activation code is entered, Ploutus becomes active for the next 24 hours. The low-level
operator can withdraw cash only during this 24-hour period before requiring a new activation code. If the
operator tries to withdraw after 24 hours, Ploutus prints an error message which will stop the ATM from
dispensing cash.
span2 = Date.TimeUtcNow - new DateTime(0x7B2, 1, 1, 0, 0,0);

num3 = &span2.TotalSeconds;
if((double.Parse(str3)+86400.0) < = num3)
{
goto Label_02F6;
}
thread4 = new Thread(new ThreadStart(this.Dispense));
thread4.Start();
return;
Label_02F6:
MemoryData.Msg = DISPENCE:ERROR DATE: = ((DateTime)DateTime.Now);
thread5 = new Thread(new ThreadStart(This.PrintV));
thread5.Start();
Thread.Sleep(0x7530);
Application.Exit();
return;
Figure 25. Activation code entered
When interacting with a connected external keyboard, the Ploutus malware uses a GUI that simplifies
the operations. Entering the following key sequence brings up a GUI interface for Ploutus: F8 F1 F7 F3
F5 F4 F2
private static void RealStart(KeyEventsArgs Key Data)

{
if (KeyData.KeyCode != 0x77)
{
goto Label_0045;
}
if (MemoryData.Command == F8F1F7F5F4F2) == null)
{
goto Label_003B;
}
Program.NCRV.UIEnable();
new Thread(new ThreadStart(Keyboard.HideTimer)).Start();
Figure 26. Ploutus GUI enable command processed
On the GUI the keyboard function keys are mapped as follows:
F1. Generar ID (Generate ID)
F2. Activar ATM (Activate ATM)
F3. Dispensar (Dispense)
F4. Salir (Disable GUI)
F5. Key Up
F6. Key Down
F7. Key Right
F8. Key Left
Instead of having to input a sequence of numbers to trigger said functionality, the low-level operator
can instead press the mapped function keys simplifying operations. Once the PIN pad or external
keyboard input is parsed, the function VdmManager.Init is called and starts the cash-dispensing process.
It detects a new XFSVendorModeClass and calls function VdmManager.Command, which in turn calls
VdmManager.DispenseThread. The DispenseClass instantiates a new XFSCashDispenserClass and
connects with the cash dispenser in the ATM using the XFS library. The actual dispensing is done by
the function DispenseClass.Availability_Changed. It gathers information about cash storage levels from
cassettes 1-4 and dispenses the requested number of bills by calling the XFSCashDispenserClass.
SyncDispense function imported from the NCR proprietary DLL file: ncr.aptra. axfs.activexfscontrols.dll.
Ploutus.B
As mentioned previously, a month after the discovery of the original Ploutus malware, a more advanced
version of the malware surfaced in the wild. In the new version, the developers had re-designed the original
Ploutus into modules, and the GUI and external keyboard inputs were removed. This new variant, dubbed
Ploutus.B, makes it more difficult to discover an infection, as there are now three modules to identify
and detect as opposed to one. The Spanish language strings found in the original Ploutus malware were
translated into English. Some observers are suggesting that this is a strong indication that Ploutus.B is
also being used in other countries.
We only succeeded in collecting the Ploutus.exe module of Ploutus.B for our investigations. Symantec
has published a blog detailing all three modules.33 Ploutus.B is composed of the following modules:
The Service module this installs the Ploutus malware with service name NCRDRVP. The malware
also hooks the PIN pad in order to receive user commands. Ploutus loads a Dispatcher component
as a DLL and forwards the commands being received to it through a raw socket.
The Dispatcher module this receives user commands forwarded by the Service module. This
module then executes Ploutus.exe via command line arguments, passing the command received as
a parameter.
The Ploutus.exe module this interprets the received user commands, displays a GUI showing cash
levels for the different cassettes, and dispenses cash. As an option, it can print all operation log
messages to a USBReceiptPrinter1 via the XFSGenericPrinterClass. This corresponds to the ATM
printer hardware.
The following call graph traces the code execution in the Ploutus.exe module of Ploutus.B:
Comparing this call graph to the original

Program.Main
Ploutus call graph, we can quickly identify what
Instantiates
components have been removed. The classes
Panel.InitializeComponent
and functions that did the installation, keyboard
hooking, and command processing have all been
Panel.Panel_Load
removed. Also the intermediary VdmManager
class has been removed, streamlining the entire
Panel.ReceiveTrack
cash-dispensing process.
Panel.DispenseV
The user command format has also changed. The
operator needs to enter a 16-digit command on
DispenseClass.Start
the ATMs PIN pad. The Service module forwards
the user command to the Dispatcher module
DispenseClass.Dispenser_
Taken through a raw socket. The Dispatcher executes
Ploutus.exe via command line arguments, passing
DispenseClass.Dispenser_ a parameter string of length. The user command
Availability_Changed
follows the = delimiter in that string. The Panel
class in the Ploutus.exe module receives this
NCR.APTRA.AXFS.XFSCash
DispenseClass.SyncDispense string and parses it, then extracts the 16-digit
user input command, validates it, and executes
Figure 27. The Ploutus.exe module operations the command if everything is correct. The last
two digits of the user command is the actual user command with the only exception being the ATM ID
generation command:
1. The command 2836957412536985 generates a new ATM ID:
Label_0418:
if (str == 2836957412536985 ==null))
{
goto Label_0519;
}
random = new Random(&DateTime.Now>Millisecond);
str6 = &random.Next(0, 10).ToString()+&random.Next(0, 10).ToString()+&random.Next(0, 10).ToString()+&random.Next(0, 10).ToString();
Inifile.IniWriteValue(Config, DATAA, str6);
Inifile.IniWriteValue(Config, DATAA, );
MemoryData.Msg = string.Concat(new object[]{ATM ID:, str6, DATE:, (DateTime)DateTime.Now});
thread9 = new Thread(new ThreadStart(this.PrintV));
thread9.Start();
Thread.Sleep(0x7530);
Application.Exit();
return;
Figure 28. The Ploutus.exe module operations
2. If the last two digits are 54, then Ploutus checks the activation code. This code is required to start
interacting with the Ploutus.B to withdraw money. This is a control feature. The low-level operator
withdrawing the cash needs to call the criminal group to receive the activation code. The activation
code is calculated as a function of the date and time. The activation code is 8-digits and is constructed
from the user input command by combining the following characters:
Activation code = CMD[3].CMD[13].CMD[1].CMD[9].CMD[0].CMD[5].CMD[11].CMD[7]
Where CMD[X] denotes the character in position X of the user input command string CMD, and X is
a number between 0-15.
When the correct activation code is entered, the Ploutus malware becomes active for 24 hours. The
low-level operator can withdraw cash only during this 24-hour period before requiring a new activation
code. If 24 hours have passed and the operator tries to dispense cash again, then Ploutus prints
an error message and will not dispense cash. If an incorrect activation code is entered, Ploutus.B
will sleep for 500 minutes rendering repeated attempts to activate the malware useless. This is yet
another built-in security control.
3. If the last two digits are 31, then Ploutus dispenses cash. Absent from Ploutus.B is the option to
specify the number of bills to dispense. The malware checks the number of bills in each cassette and
dispenses all the cash from the first cassette, which are 40 or more bills, and repeats the process
every time it receives a new dispense request. It only checks four cassettes because the NCR ATMs
the criminal group is targeting only has four cassettes. After dispensing the cash, a GUI displays
information about the remaining cash levels in each cassette as well as the malware execution log.
4. If the last two digits are 99, then Ploutus terminates itself using the Windows TaskKill command:
cmd.exe /C TASKKILL /F /IM Ploutus.exe
Once the PIN pad input has been parsed, the function Panel.DispenseV calls function DispenseClass,
which instantiates a new XFSCashDispenserClass and connects with the cash dispenser in the ATM
using the XFS library. The actual dispensing is done by function DispenseClass.Availability_Changed
and dispenses the cash by calling the XFSCashDispenserClass.SyncDispense function imported from
the NCR proprietary DLL file: ncr.aptra.axfs.activexfscontrols.dll.
Padpin
The Padpin samples that we investigated were all compiled using .NET with the exception of one sample
that was compiled as a regular PE file. The installation procedure for all the Padpin samples is very similar.
The following call diagram illustrates the installation process.
Form1 1 GetNeededFolderPath
2 SetAutoStartUpRegistry DeleteStartuoFolderFile
InitializeComponent
3 PrepareXFSManagement ExecuteOpen
AndOpenService
Form1_Shown
4 SilentDeleteFile ExecuteStartUp
MainLoop 5 MainLoop IsTimeintervalCorrect
Figure 29. Padpins installation procedure
Padpin installs itself with the binary name ulssm.exe. When first executed, the top-level function Form1
calls InitializeComponent, which initializes all the global variables and arrays used by the malware. After
initialization, the installation function Form1_Shown is called. This, in turn, calls GetNeededFolderPath
and SetAutoStartUpRegistry to install the file.
Padpin copies itself to folder:
<SYSTEM>\ulssm.exe
Autorun registry key added:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AptraDebug
Aptra is the name of NCRs ATM software. The Padpin malware targets NCR ATMs and pretends to
be a component of Aptra in order to avoid detection. When first executed, Padpin calls function
PrepareXFSManagementAndOpenService, which attempts to establish a connection with the ATMs PIN
pad. The goal is to hook the PIN pad so the malware knows when the MasterKey is entered. If Padpin fails
to establish a connection with the PIN pad, it cleanly uninstalls itself from the ATM. Once the connection to
the PIN pad is successfully established, the TimeInterval function is called. This sets the global PIN_PAD_
ACTIVE_TIME, which specifies the times the Padpin malware will be active. By default the malware is set
to be active between 1 a.m. and 5 a.m. between Sunday and Monday. After these steps are complete,
the installation function Form1_Shown starts the MainLoop and returns control to Form1. MainLoop runs
in the background and will display the Padpin user interface once the correct MasterKey is entered. The
top-level function Form1 waits for the following user input on the PIN pad:
MKEY_CLOSE_AND_ERASE_APP exit and delete self (888888)
MKEY_SHOW_APP display Padpins user interface (222222)
MKEY_HIDE_APP hide the malwares user interface (111111)
MKEY_EXTEND_TIME modify active time (six 0x20 mapped to some undetermined

key on the ATMs PIN pad; mapped to the SPACE key on a regular keyboard)
The input value varies between Padpin samples. MKEY_CLOSE_AND_ERASE_APP accepts user input
333333 and MKEY_EXTEND_TIME accepts user input 555555 in some Padpin variants.34,35
When the operator inputs the key sequence corresponding to MKEY_SHOW_APP, the program transfers
control to MainLoop.
MainLoop
GetMasterKey GetPINKDigitFrom
ToPINFK DecimalNumber
ExecuteOpen
WaitFor PrepareXFSManagement
MasterKey AndOpenService
ExecuteStartUp
PrintInfo
PrintCode
RemoveControl
ClearCassetteInfo FromForm
SilentDeleteFile
scenario
(GetMasterKeyMask) GetDecimalNumber Remove
FromPinkDigit Controls
ExecuteDispense
AddControl
DrawCassetteInfo
GetCashUnitInfo ToTheForm
Add
Controls
Figure 30. Padpin operations
After the Padpin user interface is launched, a random code is displayed on the ATM screen. The operator
needs to input the corresponding session key (described in the function names as MasterKey) in order
to advance to the next stage. The operator may already have the session key or most likely will have to
call someone for the key. This is a control mechanism built into Padpin to prevent abuse by low-level
operators. The functions GetMasterKeyToPINFK and WaitForMasterKey handle the session key input and
validation. Once the session key is validated, Padpin establishes a connection with the cash dispenser via
the PrepareXFSManagementAndOpenService function.
Then it calls a function scenario, passing it the parameter GetMasterKeyMask. This function is a case
statement that runs different commands based on the user input. It provides the following functionality
to the user:
Prints information to the ATM screen
Uninstalls the Padpin malware from the infected ATM
Retrieves stored cash information from the cassettes and prints it to the screen
Dispenses cash from the cassette via the function call WFSExecute and prints message on screen
Extends the cash dispensing interval by 10 more hours
These are the input values expected by this function:
Text input Description
GetMasterKeyMask=0 Checks whether Padpin is ready to dispense cash. Prints messages:

CASH OPERATION PERMITTED, and TO START DISPENSE
OPERATION - ENTER CASSETTE NUMBER AND PRESS ENTER.
GetMasterKeyMask=1 Disables Padpins user interface by setting IS_WIN_ACTIVE=0
GetMasterKeyMask=2 Disables the LAN and readies to dispense cash. Prints messages:
DISABLING LOCAL AREA NETWORK...PLEASE WAIT..., CASH
OPERATION PERMITTED., and TO START DISPENSE OPERATION -
ENTER CASSETTE NUMBER AND PRESS ENTER.
GetMasterKeyMask=3 Extends the operation time. Prints message: TIME WAS EXTENDED.
+++.
GetMasterKeyMask=4, Dispenses cash from the ATM and resets to dispense again. Prints
5, 6, 7, 8, or case messages: CASH OPERATION IN PROGRESS...PLEASE WAIT...,
statement default CASH OPERATION FINISHED., TAKE THE MONEY NOW!, CASH
OPERATION PERMITTED, and TO START DISPENSE OPERATION
ENTER CASSETTE NUMBER AND PRESS ENTER. If an invalid
cassette number is entered, it prints message: INVALID CASSETTE
NUMBER. TRY AGAIN. TO START DISPENSE OPERATION - ENTER
CASSETTE NUMBER AND PRESS ENTER. If the session expires,
instead it prints message: DISPENSE OPERATION DENIED. ENTER
SESSION KEY.
GetMasterKeyMask=9 Uninstalls Padpin. Prints message: DELETING APPLICATION...
Table 1. The Ploutus.exe module operations
Although the Malaysian police did not explicitly state in their report that it was Padpin, they mentioned
the following: The thieves inserted a CD-ROM into each of the machines and launched the ulssm.exe
file which infects the ATM. This is the Padpins installation name and the known infection method. It is
very interesting to find the Padpin malware being used in two different continents with only a few months
apart. Perhaps a truly international criminal group is behind Padpin, the malware code was sold, or the
code was stolen and repurposed.
Based on code analysis, we discovered that Padpin explicitly targets ATMs manufactured by NCR with
McAfee Solidcore application control running on them.36
Figure 31. Padpin targets NCR-manufactured ATMs running McAfee Solidcore
Padpins initial infection was supposedly done via a bootable CD.37 It is highly probable that the same
installation CD contains tools to disable McAfee Solidcore. Padpin uses the XFS middleware to interface
with the ATM hardware meaning the malware code is portable and could potentially be used to infect
ATMs made by manufacturers other than NCR with little or no code modifications.
GreenDispenser
In this section we look at the inner workings of GreenDispenser. The sample that we analyzed was
compiled using Visual C++. The top-level user code function is as follows:
Figure 32. Top-level user code
On first execution, GreenDispenser checks the time using the Windows API GetSystemTime. If the year is
2015, and the month is anything between January to August, then the GreenDispenser will runotherwise,
it will exit. The samples were created for a time-limited run campaign. Once the date has been verified,
GreenDispenser checks for the existence of mutex dispenserprogrm, and then it also creates a desktop
called dMain. Next, it creates a window with parameter WS_EX_TOPMOST, which tells the window to be
placed above all windows. This new window displays the error message We regret this ATM is temporary
out of service. This effectively renders the infected ATM unusable to regular users. GreenDispenser starts
the main user code as a new thread.
Figure 33. Main user code
This thread establishes a connection with the XFS Manager using the XFS API WFSStartup. GreenDispenser,
unlike other known ATM malware families, does not restrict itself to targeting only ATM machines from a
single manufacturer. Instead, the malware is designed to be able to compromise any ATM that uses the
XFS middleware. To achieve this, GreenDispenser has streamlined its functionality and only connects with
peripherals: cash dispenser (to dispense cash) and PIN pad (to accept user input). It queries the following
registry keys values to retrieve the peripheral device names for the cash dispenser and PIN pad:
HKEY_USERS\.DEFAULT\XFS\LOGICAL_SERVICE class=CDM
HKEY_USERS\.DEFAULT\XFS\LOGICAL_SERVICE class=PIN
If no names are found in any of those registry keys, then the malware switches to the XFS defaults:
CurrencyDispenser1 and Pinpad1. GreenDispenser employs a two-stage authentication process before
the operator can access the cash dispenser menu. The first authentication key is used for disabling the
top window displaying the error message: We regret this ATM is temporary out of service. Once the error
window is disabled, GreenDispenser displays a new screen with a QR code and menu options: Enter
second key. Press 9 to pause, 8 to permanently delete.
Figure 34. The QR code GreenDispenser displays when the error window is disabled
Enter second key. Press 9 to pause, 8 to permanently delete
Figure 35. The QR code screen message
The second authentication key is dynamically generated using the Windows built-in cryptographic
functions (imported from advapi32.dll). A random string is generated and encrypted using these
cryptographic functions. The QR code, which decodes to the same text printed below it, displays the
encrypted second key. The operator scans the QR code and either uses a custom app to decrypt the key
or contacts the main criminal group for help with decryption. The decrypted second key is entered on the
PIN pad to access the cash dispenser menu.
The operator also has the option of pausing or uninstalling GreenDispenser. If the pause option is selected
then all opened XFS sessions are closed using WFSClose and malware returns to the error screen: We
regret this ATM is temporary out of service. If the permanent delete option is selected then GreenDispenser
uninstalls itself and the ATM is returned to its regular operations.
The cash dispenser menu displays the options: Press 1 to dispense money, 8 to permanently delete, 88
to force delete or 9 to pause. It also displays the number of Bills left: in the ATM.
Figure 36. GreenDispensers cash dispensing routine
If the dispense money option is selected, GreenDispenser sends the command WFS_CMD_CDM_
DISPENSE via WFSExecute to the ATMs cash dispenser:
Figure 37. WFS_CMD_CDM_DISPENSE command sent via WFSExecute to dispense cash
GreenDispenser does not provide an option to specify the number of bills to dispense. Instead it uses
the default parameter values in struct _wfs_cmd_dispense. To dispense all of the cash in the ATM, the
operator will need to run the dispense money command multiple times. After each dispense operation
Bills left: is updated to show how many bills remain inside the ATM. GreenDispenser assumes there is
only a single currency type stored in the ATM.
Figure 38. Part of GreenDispensers uninstall routine
GreenDispenser has an elaborate uninstall procedure to remove all traces of an infection. It drops the
files:38 del.bat (batch script code shown in the previous screenshot) and del.exe (this is the delete program
from Windows Sysinternals) which are embedded in the .data section of the executable. Then, it executes
them to perform a clean uninstall and remove all traces of the malware. After GreenDispenser has been
successfully removed from the system the ATM returns to its regular operations.
Suceful
Suceful is coded in Borland C++. For execution it needs the following files to be present in <SYSTEM>:
borlndmm.dll, cc3260mt.dll, rt160.bpl, vc160.bpl, and the XFS library msxfs.dll. Because msxfs.dll is a
private library a fake msxfs.dll was used instead. This fake module has the same export function names
as the original but returns random values.39 When run, Suceful displays the following GUI:
Figure 39. Sucefuls main GUI
The GUI shows Suceful targeting both Diebold and NCR-manufactured ATMs. While analyzing the code,
we found no evidence that NCR ATMs were being targeted. NCR ATMs are possibly a future target for
the Suceful group, which is probably the reason why button labels for NCR were included in the GUI.
Each button in the Suceful GUI is mapped to a Button#Click function that gets called when the button is
pressed.
Figure 40. Buttons mapped to Button#Click functions
Suceful GUIs functions can be categorized into six functional groups:
PIN pad
XFS-specific
Sensors and Indicators Unit (SIU)
Diebold-specific
Card reader
Other
These functions will work on any ATM that uses the XFS middleware.40 The Diebold-specific functions
are the only exception because they pass Diebold Agilis parameters to XFS function calls. Within each
functional group there are functions mapped to different buttons, but each performs the exact same
actions. The code implementations of these analogous functions differ slightly. A reasonable explanation
could be that the Suceful group is developing these analogous functions within the prototyping tool to
quickly compare results. The most efficient function implementation will possibly be executed for the
malware that will actually be used.
XFS-specific functions
Figure 41. XFS-specific function buttons
XFS-specific function buttons form a third of all buttons in the GUI. The following table lists function
names, button text, and corresponding actions:
Function Name Button text Action
Button1Click StartUP Establishes connection with the XFS Manager using

the function WFSStartUp.
Button2Click Window Prints result extracted from struct _wfs_result in

the Memo1 window (vertical textbox adjacent to
Memo2).
Button10Click Regvest Enables event monitoring for specified service using

the function WFSRegister.
Button11Click Window 2 Prints result in the Memo1 window (vertical textbox

adjacent to Memo2).
Button12Click ChancelAsincRegvest Cancels the specified asynchronous request

currently being performed using the function
WFSCancelAsyncRequest.
Button13Click Hooks the API WFSAsyncExecute. This enables

Suceful to monitor all commands sent to the ATMs
peripheral devices. Button text in Cyrillic is Russian
for Replace, probably a debugging string for the
developer.
Button14Click 2 Copies API WFSAsyncExecute into a memory

space. This is to modify the code and use later for
hooking WFSAsyncExecute. Button text in Cyrillic is
Russian for Replace 2, similar to the above.
Button17Click Window Prints result extracted from struct _wfs_result in

the Memo1 window (vertical textbox adjacent to
Memo2).
Button18Click Startap Establishes connection with the XFS Manager using

Button24Click StaartUP Establishes connection with the XFS Manager using

Button26Click Canchel Cancels a blocking operation for the specified

thread using the function WFSCancelBlockingCall.
Table 2. XFS-specific function buttons: function names,

button text, and corresponding actions
PIN pad functions
Figure 42. PIN pad function buttons
Suceful uses XFS functions to access the ATMs PIN pad. The following table lists function names, button
text, and corresponding actions:
Function Name Button Text Action
Button29Click Open Passes parameter Pinpad1 to WFSOpen to initiate

session with the ATMs PIN pad.
Button30Click Get key Sends command WFS_CMD_PIN_GET_DATA via

WFSExecute to get keystrokes entered by the user.
Button32Click GetKey2 Sends command WFS_CMD_PIN_GET_DATA via

WFSExecute to get keystrokes entered by the user.
Table 3. Function names, button text, and corresponding actions
Card Reader functions
Figure 43. Card reader function buttons
Suceful uses XFS functions to access the ATMs card reader. This allows it to read track data from inserted
payment cards. The following table lists function names, button text, and corresponding actions:
Button9Click ncr Passes parameter IDCardUnit1 to WFSOpen to

initiate session with Card Reader. Button deliberately
mislabeled ncr.
Button6Click READ Reads all payment card track data by sending

command WFS_CMD_IDC_READ_RAW_DATA via
WFSAsyncExecute.
Button3Click EDJEKT Ejects the inserted card from the ATM by sending
command WFS_CMD_IDC_EJECT_CARD via
WFSAsyncExecute.
Button16Click RETAIN Retains the inserted card inside the ATM by sending
command WFS_CMD_IDC_RETAIN_CARD via
WFSAsyncExecute.
Button7Click edjekt Ejects the inserted card from the ATM by sending
command WFS_CMD_IDC_EJECT_CARD via
WFSAsyncExecute.
Button25Click Retain Retains the inserted card inside the ATM by sending
command WFS_CMD_IDC_RETAIN_CARD via
WFSAsyncExecute.
Button4Click read Creates a thread to read all payment card track data by
sending command WFS_CMD_IDC_READ_RAW_DATA
via WFSAsyncExecute.
Table 4. The functions, button text, and actions of the XFS functions Suceful uses
SIU functions
Figure 44. SIU function buttons
The SIU class is generally used for the operation of door sensors, alarm sensors, generic sensors, key
switch sensors, lamp/sign indicators, auxiliary indicators, and enhanced audio controls. Modifying SIU
ports suggests physical compromise of the ATM, since this may affect any alarms or protections physically
attached to the machine. The following table lists function names, button text, and corresponding actions:
Button20Click Sets or clears output ports in the SIU by sending

command WFS_CMD_SIU_SET_PORTS via
WFSAsyncExecute. The button text in Cyrillic is Russian
for ON.
Button21Click Button21 Set the status of the auxiliary indicator by sending

command WFS_CMD_SIU_SET_AUXILIARY via
WFSAsyncExecute.
Button22Click Button 22 Set the status of the guidance light indicator by sending
command WFS_CMD_SIU_SET_GUIDLIGHT via
WFSAsyncExecute.
Button23Click Set or clears output ports in the SIU by sending

command WFS_CMD_SIU_SET_PORTS via
WFSAsyncExecute. The button text in Cyrillic is Russian
for OFF.
Button27Click OPENncr Passes parameter SIU to WFSOpen to initiate session

with the SIU. Button deliberately mislabeled OPENncr.
Table 5. SIU function names, button text, and corresponding actions
Diebold-specific functions
Figure 45. Diebold function buttons
The Diebold-specific functions pass Diebold Agilis parameters to XFS function calls. This is a clear
indication that the Suceful group is targeting Diebold ATMs. The following table lists function names,
button text, and corresponding actions:
Button5Click OpenSessionsDiebold Passes parameter DBD_MOTOCARDRDR to

WFSAsyncOpen to initiate session with Diebold ATM
Card Reader.
Button8Click OpenDIEBOLD Passes parameter DBD_MOTOCARDRDR to

WFSOpen to initiate session with Diebold ATM Card
Reader.
Button19Click Open Passes parameter DBD_TERMINALIO to

WFSOpen to initiate session with Diebold Terminal
Input Output. SIU equivalent.
Button28Click Passes parameter text DBD_MOTOCARDRDR,

read from textbox above button, to WFSAsyncOpen
to initiate session with Diebold ATM Card Reader.
The button text in Cyrillic is open by topic/name/
title.
Table 6. Function names, button text, and corresponding actions of Suceful
Other functions
Figure 46. Other function buttons
These are testing functions for the GUI and error handler. The following table lists function names, button
text, and corresponding actions:
Function name Button Text Action
Button15Click test free A series of pop-up windows display the codes: 802, 807,
801, 802, 805, 806, and 2. Probably used for
GUI testing.
Button31Click test Calls an empty function that performs no action.

Probably used for GUI testing.
Button33Click Button 33 Prints the last XFS error message from the error handler
function.
Table 7. Function names, button text and corresponding actions
There are a few interesting observations about Suceful:
There is no user access control mechanism in Suceful. This is a common feature in most ATM malware.
The absence of a user access control mechanism supports our theory that Suceful is a prototyping
tool and not the actual malware that will be deployed in ATMs.
Cash-dispensing functions were not tested in Suceful. The Suceful group may be targeting payment
card track data only.
The Suceful group had access to leaked Diebold Agilis XFS manuals. A quick Internet search shows
Agilis XFS manuals are readily available for download. This is an example of an Agilis XFS manual
available for download from Baidu:
Figure 47. Sample Diebold Agilis XFS manual available for download from Baidu
The Suceful group may have been scanning their tool on VirusTotal to measure both detection coverage
and time for new detection to be added. This would give them an estimate of the safe operations time
window for the actual ATM malware they are developing. The presence of this development tool in a
public place such as VirusTotal shows a mistake on the malware developers part, probably due to
inexperience or ignorance.
Neopocket
On first execution, NeoPocket checks whether the system date is May 20, 2014 or earlier. If its not,
the malware will exit the installation process. A NeoPocket process running on a compromised ATM
will automatically terminate itself at 12:00 a.m. on May 21, 2014 but not uninstall itself. NeoPocket
is designed for a time-limited campaign. Other versions of NeoPocket are expected to have different
termination dates.
NeoPocket will only run when executed from the <ROOT> directory. Similar to other ATM malware,
NeoPocket requires an installation key. This feature enables the criminal group to track/control the
malware-infected ATMs and it also prevents a rogue low-level operator from installing the Trojan on
random ATMs to steal the collected transaction data.
Figure 48. NeoPocket access code request window
The pop-up installation window displays the message Por Favor Ingrese la Clave de instalacion
Proporcione el siguiente numero which translates to Please enter the installation key Provide the
following number. The installation key is dynamically generated and is a function of the number displayed
in the pop-up window (in this case 8357965), the PresentDate, and DayOfMonth.
Figure 49. Dynamically-generated access code
The low-level operator needs to call up the main criminal group, provide the number displayed in the pop-
up window, and receive the installation key. After the installation key is input, the malware completes the
installation and displays the following pop-up message:
Figure 50. Pop-up message when installation is successful
NeoPocket is manually installed on the ATM machine. The operator uses a keyboard to input the
installation key in the pop-up installation window. NeoPocket does not communicate with the ATMs
peripheral devices and thus does not have access to the ATMs PIN pad. The malware is installed from a
USB device (more on this later).
NeoPocket installs the following files in <ROOT>\Diebold\CSS or <PROGRAM FILES>\Diebold\ABC:
Filename Description
CSS1.exe NeoPocket malware
casas.txt Data captured on port 6000
casaAx.txt Keys logged from window with title: Enter the A key
casaBx.txt Keys logged from window with title: Enter the B key
css.init The original port and IP address from the .ini files are stored
here
conta.ttt Unclear what data is stored in this file
devicex.ini Installation key
devices2.init Backup of the original devices.ini
borrar.exe This file is used for uninstalling the malware
Table 8. Neopocket installs these files on the ATM machine
NeoPocket continuously polls its files to make sure the hidden file attribute is set for all of them. If the
hidden flag is cleared, it will toggle it back on. NeoPocket adds the following registry keys to maintain
persistence, pretending to be a component of the Diebold Agilis ATM software.
Figure 51. Added registry keys
NeoPocket searches for the Diebold configuration files css.ini and devices.ini in the <ROOT>\Diebold\
CSS or <PROGRAM FILES>\Diebold\ABC directories. Once found, NeoPocket modifies the RemotePort
and Port fields to 6000, and the IpHost and IP fields to 127.0.0.1 in those two .ini files.
Figure 52. Update RemotePort & Port to 6000 and IpHost & IP to 127.0.0.1 in all .ini files
The malwares intent is to perform MitM attacks for all transaction data going from the ATM to the bank. It
achieves this by modifying files css.ini and devices.ini to route all transaction data packets to the Internet
socket: 127.0.0.1 and port 6000, capturing those data packets, and then forwarding them to the process
that handles communications with the bank over a VPN. Expert knowledge of Diebold Agilis is mandatory
to understand how the system is set up and to determine which fields (in the .ini files) must be modified
to successfully set up the MitM attack. NeoPocket makes the following API calls to set up and listen on
the socket:
Figure 53. API calls made to listen to traffic on port 6000
TCP TESTER:6000 TESTER:0 LISTENING 1780

[CSS1.EXE1]
Figure 54. Listening on port 6000
We used a network packet generator to create packets with custom payload: Please capture me!!! and
sent them to 127.0.0.1:6000. The packet payload was captured and stored in casas.txt by the malware:
506C 01/04/14 22:09:02

--------
ease capture me!
!!..............
506C 01/04/14 22:09:02
--------
ease capture me!
!!..............
506C 01/04/14 22:09:02
--------
ease capture me!
!!..............
Figure 55. Captured traffic
NeoPocket looks for windows with the following titles:
Enter the A key
Escriba la clave A
Enter the B key
Escriba la clave B
Once the target window is found, NeoPocket logs user input to that window by monitoring the state of the
keys being pressed by calling API GetKeyState. No information is available about what data is entered in
these windows and how it is inputted (keyboard or PIN pad). It is interesting to note that NeoPocket looks
for window titles in both English and Spanish.
Figure 56. Keylog from target windows
NeoPocket has functionality to terminate the SMC.exe process, which we believe corresponds to
Symantec Endpoint Protection. This means that there is a high level of targeting in this attack and the
criminals know a great deal about the protections being used by the targeted financial institution. We
do not exclude the possibility that other versions of Neopocket terminate other protection software,
according to the new targets and their defense systems.
Figure 57. The command to terminate the SMC.exe process
NeoPocket seems to have been installed using a USB device. The malware periodically checks the registry
key SYSTEM\CurrentControlSet\Services\USBSTOR to look for a USB storage device being connected
to the ATM.
Figure 58. The command to search for connected USB device
Once a USB device has been connected, NeoPocket is ready to receive commands from it. The malware
uses unconventional methods to receive these user commands. It can receive commands in the
following ways:
One, it expects command strings coming from the USB device to 127.0.0.1:8000 and tries to match the
following string patterns.
Command String Function
9999999999 Returns information that includes FCBALANCE
9999999911 Returns information that includes FCBALANCE
9999999981 Restores the original .ini files from backup. Deletes all dropped
files. Delete all registry keys added during the install process.
Calls borrar.exe to kill CSS1.exe and deletes the executable.
Table 9. The string patterns Neopocket tries to match
Two, it checks for the presence of certain files, the existence of which triggers different actions. NeoPocket
searches for these .xxx files in drives D, E, F, G, or H. If the files are located in the default C: drive, no
subsequent actions are taken.
File Found Function
key.xxx Deletes the installation key
tumbar.xxx Kills process SMC.exe
copiar.xxx Encrypts the collected data and store filenames that end with
the .enc extension
borrar.xxx Restores the original .ini files from backup. Deletes all dropped
files. Deletes all registry keys added during the install process.
Calls borrar.exe to kill CSS1.exe and deletes the executable.
Table 10. NeoPocket scans for certain files that trigger different actions
ATM Malware Family Comparison
Padpin/ Green
Skimer Ploutus Neopocket Suceful
Tyupkin Dispenser
Discovery year 2007 2013 2014 2014 2015 2015
In-the-wild Yes Yes Yes Yes No Yes
Country affected Russia, Ukraine, Mexico Eastern Europe, South America N/A Mexico
other EU South East Asia
Countries
Manufacturer Diebold NCR NCR Diebold Diebold, NCR All

targeted (claimed)
Installation Unknown CD-ROM CD-ROM Unknown N/A Unkown

method on ATM
Family branches Yes Yes No No No No

to multiple
variants
Programming Delphi C# compiled C# compiled VB Borland C++ Visual C++

language into .NET into .NET
Library used DbdDevAPI.dll ncr.aptra.axfs. MSXFS.dll Peripherals not MSFXS.dll MSFXS.dll

to access activecontrols. Padpin/Tyupkin accessed
peripherals dll
Access control Yes Yes Yes Yes No Yes (two-stage

implemented authentication)
Dispenses cash Yes Yes Yes No No Yes
Steals information Yes No No Yes Yes No
User menu Yes Yes Yes No Yes Yes
User commands PIN pad Keyboard, PIN PIN pad Raw socket, Keyboard, PIN pad
received via pad, SMS files Mouse
Language strings Spanish English, Spanish English Spanish Russian English
Encrypts stolen Yes No No Yes No No

data
Time-limited No Needs activation Operates only at Operates before No Operates Jan.

campaign every 24 hours certain times May 21st, 2014 1 August 31.
2015
Persistent Yes Yes Yes Yes No No

between reboots
Antivirus disabled No No Yes (via other Yes No No

tool)
Disables ATM No No No No Yes No

sensors
Table 11. ATM malware family comparison
Appendix II
IOCs
Skimer ver-2009
047fc4c42a54a45fddb0d6d8e8958d4f873aecff
a7a407fdfc00089e5d74c7f1803e5adf47ca3cad
c3abfac87f028e1912ff2389eb0836ff17d83892
d15c97b8e5ef165bbbecedb1abf553ae9fec20e0
b7fc0dd1f939d7bca337b0d9cd562e3b1b5c8947
350e40aad87380faa51bd8f63afc6f5311f38148
Skimer ver-2011
313b44b09b78c8e6e5e3ce7603e5cc261c314e53
0bb68a5d1d4222655a918b483b296c9bd2efe77a
85b8480a57e331747fd4a55c50675b7e412a67ee
3e58c3123cf37300d97568d58ca55e3d1314c067
abd8648c63cdf7a514b2d3fd6a99b2f92b4dbcc6
ddff5bdea6fe0120d3ee816c353592f06178e81e
c297f38ee688329b5ae38d8b0ccd3b55f0bb94c3
8ceead2ba1f84347800fdd529e07889a8895020c
74758372d3860ef97ab5b9a7060600a929134543
Ploutus:
388a4ef6a8e9c7fdc915107e612e7caa829098b4
5b2b2b061949205be824899ed4d66c701c6cdcad
8c52518f3e0208b8e1ba6174a988e2378d69fae0
b0b13b336ee8770bb2a90fb1292fd9dcabd046f4
bc244a589dc132453ef1b0daa592a5b45156e8e8
c72a2e50410475a51d897d29ffbbaf2103754d53
d2bc398a288724bd93ff558309c510a77553a548
d5ba7e3944e302890ca6a98b030d6d937528fc14
fa781932744fd1877bdf7e5561a86f6690c6c317
Padpin:
0c3e6c1d4873416dec94c16e97163746d580603d
158dd19c0565e8541abef8a06ad4231c62752020
45343fc8ba75e188174d0b09dd71345b88fa0a24
4d5493d93e600a61b21debad299dc178dcdadca3
535f24c37102387fb3dd7869523aedb1805f3733
5a699a8f64046d3d7fb5014d0242c159a04b8eed
bd8ab63f2544ca55858b6407e0b52d5494cf3715
bfa9791ccc407819907b9d38341dd6d50b663e55
d9c5c177a6eb2847cbb2e16e74013992b65b9fd9
GreenDispenser:
b3401a57ddde3b944bafd348f6575ce195883acc
8f9428c689aa1953293d240e83530ec00fe1df47
d9aae7e14b1f6267bc37d5c2ea3ee681b90fbed2
027f6e1ab57db86fc400e5c0ea8f943791ca9943
25f4d7bd393fb8e65de716e6353a1ec11bf6d3b2
Suceful:
4610093687b0f2c42fe80adca217988c8947a546
ccafd4e255880a7f9bceebad5f7e98d0bc753edf
Neopocket:
6905848e0f6b5d760cdb553ca30a13e29cb22504
cf189ac7f28d597a5094223c94fa9cad2ee8bf61
References
1. European ATM Security Team (October 13, 2015). www.euopean-atm-security.eu European ATM Fraud Incidents up 15%,
driven by low tech crime. Last accessed: February 19, 2016. https://www.european-atm-security.eu/european-atm-fraud-
incidents-up-15-driven-by-low-tech-crime/.
2. European ATM Security Team (October 13, 2015). Wwweuropean-at-security.eu EAST Publishes European Fraud
Update 3-2015. Last accessed: April 7,2016. https://www.european-atm-security.eu/east-publishes-european-fraud-
update-3-2015/.
3. International Organization for Standardization. (June 15, 2003). www.iso.org ISO 8583-1:2003 Financial transaction card
originated messages -- Interchange message specifications -- Part 1: Messages, data elements and code values. Last
accessed: November 14, 2015. http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=31628.
4. International Organization for Standardization. (June 18, 1998). www.iso.org ISO 8583-1:2003 Financial transaction card
originated messages -- Interchange message speci cations -- Part 2: Application and registration procedures for Institution.
Identification Codes (IIC). Last accessed: November 14, 2015. http://www.iso.org/iso/home/store/catalogue_tc/catalogue_
detail.htm?csnumber=23632.
5. International Organization for Standardization. (May 1, 2003). ISO.org ISO 8583-1:2003 Financial transaction card originated
messages -- Interchange message speci cations -- Part 3: Maintenance procedures for messages, data elements and
code values. Last accessed: November 14, 2015. http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.
htm?csnumber=35363.
6. EFT Lab. (2015). Eftlab.co.uk TPDU The Transaction Protocol Data Unit. Last accessed: November 14, 2015. https://www.
eftlab.co.uk/index.php/site-map/our-articles/295-tpdu-the-transaction-protocol-data-unit.
7. Brian Krebs. (May 30, 2014). Krebs on Security. Thieves Planted Malware to Hack ATMs. Last Accessed January 5, 2016.
http:// krebsonsecurity.com/2014/05/thieves-planted-malware-to-hack-atms/.
8. Wikimedia Foundation, Inc. (October 24, 2015). Wikipedia. CEN/XFS. Last accessed: November 14, 2015.
https://en.wikipedia.org/wiki/CEN/XFS.
9. European Committee for Standardization. (December 2011). Extensions for Financial Services (XFS) interface specification
Release 3.20 Part 1: Application Programming Interface (API) Service Provider Interface (SPI) Programmers Reference. Last
accessed: November 14, 2015. ftp://ftp.cenorm.be/CWA/CEN/WS-XFS/CWA16374/CWA16374-1-2011_December.pdf.
10. Kazan First. (September 11, 2015). Kazanfirst.ru 18- 340 000 . Last
accessed: February 19, 2016. http://kazanfirst.ru/online/54389.
11. Vanja Svajcer. (March 17, 2009). Naked Security by Sophos. Credit card skimming malware targeting ATMs. Last accessed:
December 1, 2015. https://nakedsecurity.sophos.com/2009/03/17/credit-card-skimming-malware-targeting-atms/.
12. Kim Zetter. (April 6, 2009). Wired. New ATM malware captures PINS and Cash Updated. Last accessed: December 1, 2015.
http://www.wired.com/2009/06/new-atm-malware-captures-pins-and-cash/.
13. Graham Cluley. (March 18, 2009). Naked Security by Sophos. More details on the Diebold ATM Trojan horse case. Last
accessed: December 1, 2015. https://nakedsecurity.sophos.com/2009/03/18/details-diebold-atm-trojan-horse-case/.
14. Daniel Regalado. (October 25, 2013). Symantec Connect. Backdoor.Ploutus Reloaded Ploutus Leaves Mexico. Last
accessed: November 24, 2015. http://www.symantec.com/connect/blogs/backdoorploutus-reloaded-ploutus-leaves-mexico.
15. Daniel Regalado. (March 24, 2014). Symantec Connect. Texting ATMs for Cash Shows Cybercriminals Increasing
Sophistication. Last accessed: November 24, 2015. http://www.symantec.com/connect/blogs/texting-atms-cash-shows-
cybercriminals-increasing-sophistication.
16. Daniel Regalado. (October 8, 2014). Symantec Security Response. Backdoor.Padpin. Last accessed: November 19, 2015.
https://www.symantec.com/security_response/writeup.jsp?docid=2014-051213-0525-99.
17. FSLabs. (October 7, 2014). F-Secure Labs. NCR ATM API Documentation Available on Baidu. Last accessed: November 19,
2015. https://www.f-secure.com/weblog/archives/00002751.html.
18. Kaspersky Labs Global Research & Analysis Team. (October 7, 2014). SecureList. Tyupkin: manipulating ATM machines with
malware. Last accessed: November 19, 2015. https://securelist.com/blog/research/66988/tyupkin-manipulatingatmmachines-
with-malware/.
19. Suzanne Cluckey. (October 10, 2014). ATM Marketplace. Can the ATM industry stop Tyupkin in its tracks? Last accessed:
November 19, 2015. http://www.atmmarketplace.com/articles/can-the-atm-industry-stop-tyupkin-in-its-tracks/.
20. Thoufique Haq. (September 24, 2015). Proofpoint. Meet GreenDispenser: A New Breed of ATM Malware. Last accessed:
December 12, 2015. https://www.proofpoint.com/us/threat-insight/post/Meet-GreenDispenser.
21. Daniel Regalado. (September 11, 2015). FireEye Blogs. SUCEFUL: Next Generation ATM Malware. Last accessed: December
8, 2015. https://www.fireeye.com/blog/threat-research/2015/09/suceful_next_genera.html.
22. Jozsef Gegeny and Santiago Vicente. (April 20, 2014). S21sec Blog. NeoPocket: A new ATM malware. Last accessed:
December 17, 2015. http://securityblog.s21sec.com/2014/04/neopocket-new-atm-malware.html.
23. Sam Adams. (February 6, 2015). The Mirror UK. Grigore Paladi: Gang member jailed for helping steal 1.6m from cash
machines in ONE weekend. Last Accessed: Jan 5, 2016. http://www.mirror.co.uk/news/uk-news/grigore-paladi-gang-
member-jailed-5115228.
24. Finance Twitter (Sept 2014). FinanceTwitter.com. Heres How Malaysian ATMs were Hacked of RM3 Million by Latin Americans.
Last Accessed: January 5, 2016. http://www.financetwitter.com/2014/09/here-is-how-malaysian-atms-were-hacked-of-rm3-
million-by-latin-americans.html.
25. Opalyn Mok. (October 9, 2014). Malay Mail Online. Bank in Bayan Baru latest target of ATM hacking. Last Accessed: January
5, 2016. http://www.themalaymailonline.com/malaysia/article/bank-in-bayan-baru-latest-target-of-atm-hacking.
26. Atiqa Hazellah. (December 19, 2014). New Straits Times Online. ATM theft suspect to be charged in UK. Last Accessed:
January 5, 2016. http://www.nst.com.my/news/2015/09/atm-theft-suspect-be-charged-uk.
27. DIICOT. (January 5, 2016). DIICOT. Press Release 05-01-16. Last Accessed: January 5, 2016 http://www.diicot.ro/index.php/
arhiva/1643-comunicat-de-presa-05-01-2016.
28. Mobile Payments Today. (January 1, 2016). Mobile Payments Today. Diebold, EyeLock to showcase screen-free ATM at CES.
Last Accessed: January 7, 2016. http://www.mobilepaymentstoday.com/news/diebold-to-showcase-screen-free- atm-at-ces/.
29. Ben Coxworth (January 6, 2016). Gizmag. Futuristic no-PIN automated teller looks its user in the eye. Last accessed: March
30, 2016. http://www.gizmag.com/eyelock-diebold-irving-atm/41217/.
30. Dr. Web (December 16, 2013). DrWeb.com Trojan.Skimer.18 infects ATMs Last accessed: Jan 5, 2016. http://news.drweb.
com/show/?i=4167&lng=en.
31. Kathleen Notario. (October 9, 2012). Trend Micro Threat Encyclopedia. TSPY_SKIMER.D Last accessed: December 1, 2015.
http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_skimer.d.
32. Kathleen Notario. (October 9, 2012). Trend Micro Threat Encyclopedia. TSPY_DROPSKIM.DLast accessed: December 1,
2015. http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_dropskim.d.
34. nfoSecInstitute. (January 19, 2015). http://resources.infosecinstitute.com Tyupkin ATM Malware Analysis. Last accessed:
November 19, 2015. http://resources.infosecinstitute.com/tyupkin-atm-malware-analysis/.
35. Freebuf. (November 12, 2014). Freebuf.com :Tyupkin. Last accessed: November 19, 2015. http://www.freebuf.com/articles/
system/50940.html.
36. Intel Security. (December 3, 2014). Intel Security.com McAfee Labs Threat Advisory BackDoor-Pinpad. Last accessed:
November 19, 2015. https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/
PD25492/en_US/ McAfee_Labs_Threat_Advisory_BackDoor-Pinpad_PD25492.pdf.
38. David John Agni. (September 30, 2015). Trend Micro Threat Encyclopedia. TROJ_GREENDISPENSER.A. Last accessed:
December 12, 2015. http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_greendispenser.a.
39. Vallejocc. (September 29, 2015). Vallejo.cc. Analyzing ATM malware. Last accessed: December 8, 2015. http://vallejo.
cc/2015/09/29/analyzing-atm-malware/.
40. European Committee for Standardization. (2015). CWCWA 16374. Last accessed: December 8, 2015. https://www.cen.eu/
work/areas/ICT/eBusiness/Pages/CWA16374.aspx.
Created by:
The Global Technical Support and R&D Center of TREND MICRO
TREND MICROTM
Trend Micro Incorporated, a global cloud security leader, creates a world safe for exchanging digital information with its Internet content security and
threat management solutions for businesses and consumers. A pioneer in server security with over 20 years experience, we deliver topranked client,
server, and cloud-based security that fits our customers and partners needs; stops new threats faster; and protects data in physical, virtualized, and
cloud environments. Powered by the Trend Micro Smart Protection Network infrastructure, our industry-leading cloud-computing security technology,
products and services stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe.
For additional information, visit www.trendmicro.com.
www.trendmicro.com
2016 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of
Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.

ATM Malware

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

ATM Malware

Diunggah oleh

Hak Cipta:

Format Tersedia

ATM Malware on the Rise:

A Comprehensive Overview of the Digital ATM Threat

Trend Micro Forward-Looking Threat Research (FTR) Team

A TrendLabsSM Research Paper

Logical attacks on ATMs are now recognised as a developing

This report covers the key developments and emerging

The report highlights the increasing sophistication of

The report lists a number of key recommendations to address

I would like to recognise the work of Trend Micro who devoted

I am proud to present this comprehensive report that offers

Lastly, I cannot fail to mention the dedicated and valuable role

More information on Europol is available on the Internet:

The aim is to increase awareness by

The first section explores the background

What Caused this Shift?

Fraud attacks Physical attacks

Figure 1. European ATM attack statistics from 2011 to 20151

ATM Infrastructure How to Move Around an ATM

Figure 2. Components of an ATM

Parallels between a PC and an ATM

Middleware The Key to the Safe

A corresponding set of Service Provider Interfaces (SPI)

Supporting services for the handling/processing of API and SPI

The following diagram illustrates the XFS system architecture:

Figure 3. XFS system architecture

The XFS API has the following general set of functions:9

The Masterplan Infect and Conquer

Either way, there are two possibilities:

Figure 4. Old-school skimming attacks through physical means.10

Both variants of Skimer are still being used by criminals.

Suceful can read track data from inserted payment cards.

Suceful group had access to leaked Diebold Agilis XFS manuals.

Skimer Ploutus Padpin

Suceful Green Dispenser NeoPocket

Figure 5. Malware families and their geographical origins

2009 2009 September 2014

Securing the Physical Access

4. There should be adequate lighting in and around the ATM.

1. BIOS configuration editing should be password-protected.

6. Ensure that AUTORUN is fully disabled.

Hard Disk Encryption

Cash Dispenser Communication

Figure 8. Skimers main function

Figure 9. The Skimer user menu

Option 1. Uninstall Skimer

Option 2. Print information about the ATM

Option 3. Delete the log files from the system

Option 4. Shutdown the ATM

Option 5. Test the receipt printer

Option 7. Display the secondary user menu

Option 8. Retrieve information about cash levels

Option 9. Copy collected data to master card

Figure 10. Read user input from EPP

Figure 11. Skimer prints out information about the ATM

1-4. Dispense cassette

Figure 13. The secondary user menu display

The system calls DbdDevExecute(MCRW_CHIP_IO) and DbdDevExecute(IC_CONTACT_POSITION)

****** PROGRAMA INSTALADO CON EXITO! ******

NO TIENE PRIVILEGIOS DEBE ENTRAR COMO ADMINISTRADOR! Error: 201

Figure 16. Injects code into process mu.exe

<ROOT>\Documents and Settings\Diebold_ATM\Application Data\windows.sqb

Figure 17. DFCDrgr.dlls main routine

Figure 19. Capture data from Diebold:OGuiFrame

Keyboard.ProcessCommand Keyboard.ProcessCommandGui NCR.APTRA.AXFS.XFSCash

PROGRAMA INSTALADO CON EXITO!