“GreenDispenser” ATM Malware Allows Attackers to Steal Cash

Researchers have discovered a new piece of malware designed to target ATMs and allow malicious actors to quickly empty a machine’s cash vault.

Stealing payment cards or card data can be lucrative for cybercriminals, but walking up to an ATM and commanding it to hand over all the money in its cash vault is much more profitable.

ATM malware such as Ploutus and Tyupkin (Padpin) are believed to have been used to steal large amounts of money directly from cash machines, and now there’s a new piece of crimeware developed for this purpose.

The new threat, dubbed “GreenDispenser” by experts at Proofpoint, is similar to Tyupkin. Attackers need physical access to the targeted ATM in order to install the malware. Once this step is completed, they can instruct the machine from its PIN pad to dispense cash.

While GreenDispenser is similar to Tyupkin, researchers say it has a couple of additional noteworthy features: the menu from which the ATM is instructed to dispense cash is protected by two-factor authentication (2FA), and the malware is designed to operate only for a limited period of time.

Similar to other ATM malware, GreenDispenser communicates with the cash machine’s hardware components, such as the PIN pad and the cash dispenser, via XFS, a piece of middleware that provides a client-server architecture for devices used in the financial industry.

The malware attempts to obtain the peripheral names for the PIN pad and the cash dispenser by querying certain registry location. If that doesn’t work, it uses the names “Pinpad1,” respectively “CurrencyDispener1,” which are the default values for specific ATMs.

When the malware is installed on an ATM, it might display a message written in English or Spanish indicating that the machine is out of service. While regular cardholders might walk away from the machine when seeing the error, the fraudsters simply type in a couple of PINs and they gain access to the malware’s menu.

According to Proofpoint, the first PIN is hardcoded, but the second PIN, which is part of a 2FA mechanism likely designed to keep unauthorized users out, is dynamic and can only be obtained by decoding a QR code displayed on the screen. Experts believe cybercrooks likely use a mobile app to decode the QR code and obtain the dynamic PIN.

Once both PINs are entered correctly, a message displayed on the screen instructs the user to press 1 to dispense money, 8 to delete the malware, 88 to perform a force delete, and 9 to pause. The removal process allows the attackers to ensure that little or no trace of the malware remains on the targeted ATM after it’s robbed.

Another interesting aspect about the sample analyzed by Checkpoint is that it’s designed to check the current year and month before running. If the year is not 2015 and the month is not prior to September, GreenDispenser stops running. Experts believe GreenDispenser was used in a limited operation and designed to deactivate itself to avoid being detected.

“ATM malware continues to evolve, with the addition of stealthier features and the ability to target ATM hardware from multiple vendors,” Proofpoint’s Thoufique Haq wrote in a blog post. “While current attacks have been limited to certain geographical regions such as Mexico, it is only a matter a time before these techniques are abused across the globe. We believe we are seeing the dawn of a new criminal industry targeting ATMs with only more to come.”

Another interesting ATM malware discovered recently by researchers is Suceful. The threat allows attackers to read data from a card’s magnetic stripe and chip, disable sensors and alarms, and retain and eject cards on command. This last feature allows fraudsters to physically steal cards.

Leave a Reply