On Aug. 23, 2016, FireEye detected a potentially new ATM malware sample that used some interesting techniques not seen before. To add more fuel to an existing fire, the sample was uploaded to VirusTotal from an IP address in Thailand a couple of minutes before the Bangkok Post newspaper reported the theft of 12 million baht from ATMs at banks in Thailand.
In this blog, FireEye Labs dissects this new ATM malware that we have dubbed RIPPER (due to the project name “ATMRIPPER” identified in the sample) and documents indicators that strongly suggest this piece of malware is the one used to steal from the ATMs at banks in Thailand.
Connection to previous ATM Malware
- Targets the same ATM brand.
- The technique used to expel currency follows the same strategy (already documented) performed by the Padpin (Tyupkin), SUCEFUL and GreenDispenser.
- Similar to SUCEFUL, it is able to control the Card Reader device to Read or Eject the card on demand.
- Can disable the local network interface, similar to capabilities of the Padpin family.
- Uses the “sdelete” secure deletion tool, similar to GreenDispenser, to remove forensic evidence.
- Enforces a limit of 40 bank notes per withdrawal consistently, which is the maximum allowed by the ATM vendor.
New features, capabilities, or behaviors in RIPPER
- It targets three of the main ATM Vendors worldwide, which is a first.
- RIPPER interacts with the ATM by inserting a specially manufactured ATM card with an EMV chip that serves as the authentication mechanism. Although this technique was already used by the Skimmer family, it is an uncommon mechanism.
Similarities between RIPPER and the recent ATM theft in Thailand
RIPPER can maintain persistence using two modes: either as standalone service or masquerading as a legitimate ATM process.
RIPPER is installed as a service if called with the following arguments:
Before creating the service, it will kill the process “dbackup.exe”, which is specific to one common ATM vendor:
cmd /c taskkill /IM dbackup.exe /T /F
Then it will replace the original dbackup.exe binary under c:\Windows\system32\ (if present) with itself.
Finally it will install a persistent service with following attributes:
RIPPER can delete the “DBackup Service” service if run with the following arguments:
RIPPER can stop or start the “DBackup Service” with the following arguments:
“service start” or “service stop”
RIPPER also supports the following command line switches:
/autorun: Will Sleep for 10 minutes and then run in the background, waiting for interaction.
/install: RIPPER will replace the ATM software running on the ATM as follows:
Upon execution, RIPPER will kill the processes running in memory for the three targeted ATM Vendors via the native Windows “taskkill” tool.
RIPPER will examine the contents of directories associated with the targeted ATM vendors and will replace legitimate executables with itself. This technique allows the malware to maintain the legitimate program name to avoid suspicion.
RIPPER will maintain persistence by adding itself to the \Run\FwLoadPm registry key (that might already exist as part of the vendor installation), passing the “/autorun” parameter that is understood by the malware, as seen in Figure 1.
Figure 1: Registry key added for persistency
/uninstall: RIPPER removes the registry keys created
Running without parameters
If RIPPER is executed without any parameters, it will perform the following actions:
1. It will connect with the Cash Dispenser, Card Reader and the Pinpad. Since every ATM brand has its own unique devices names, RIPPER will identify the current devices installed by enumerating them under the following registry key:
2. RIPPER will make sure the devices are available by querying their status (Figure 2), and if not available, will exit.
Figure 2: Querying the devices status via WFSGetInfo() API
3. For the Dispenser it will obtain information such as the Cash Unit details to determine the number and type of available notes.
4. Finally it starts two threads; the first of which will monitor the status of the ATM devices to make sure they are available and will read all the keystrokes received from the Pinpad device waiting to interact with the thieves (see step 7), as seen in Figure 3.
Figure 3: Monitoring Pinpad keystrokes
5. The second thread monitors the Card Reader, and once a card is inserted it validates the EMV chip for authentication to the ATM Malware.
6. Once a valid card with a malicious EMV chip is detected, RIPPER will instantiate a timer to allow a thief to control the machine. Figure 4 depicts the timer function.
Figure 4: Monitoring the Card Reader
7. Once the thieves start interacting with RIPPER, they enter instructions via the Pinpad and multiple options are displayed, including methods for dispensing currency. Figure 5 depicts some of the options available to the thieves.
a. CLEAN LOGS: Will clear the log stored at: C:\WINDOWS\temp\clnup.dat
b. HIDE: Will hide the Malware GUI by calling ShowWindow() API.
c. NETWORK DISABLE: Will shut down the ATM local network interface to prevent it from communicating with the bank. It can re-enable the connection if needed.
Figure 5: Main Menu
d. REBOOT: Will call ExitWindowsEX() API without sending WM_QUERYENDSESSION message to avoid prompts for confirmation, causing the system to reboot.
e. BACK: Ejects the malicious ATM card back to the thieves by calling the WFSExecute() with the command: WFS_CMD_IDC_EJECT_CARD. This option, depicted in Figure 6, was observed being used by the SUCEFUL family.
Figure 6: Asking Card Reader to eject the chip card
Through open sources, we’ve identified a family of malware that may have been used in recent ATM robberies and which bears some similarities to known families of malware. This malware family can be used to compromise multiple vendor platforms and leverages uncommon technology to access physical devices. In addition to requiring technical sophistication, attacks such as that affecting the ATMs in Thailand require coordination of both the virtual and the physical. This speaks to the formidable nature of the thieves.