Ripper atm malware and the 12m baht jackpot _ atm marketplace laundering money through paypal

By daniel regalado, threat research, fireeye

On aug. 23, fireeye detected a potentially new ATM malware sample that used some interesting techniques not seen before.

Adding more fuel to an existing fire, the sample was uploaded to virustotal from an IP address in thailand a couple of minutes before the bangkok post reported the theft of 12 million baht ($346,816) from atms at banks in thailand.

In this blog, fireeye labs dissects this new ATM malware that we have dubbed ripper (due to the project name atmripper identified in the sample), and documents indicators that strongly suggest this piece of malware is the one used to steal from the atms at banks in thailand. Connection to previous ATM malware

• targets the same ATM brand;

• technique used to expel currency follows the same strategy (already documented) performed by the padpin (tyupkin), suceful and greendispenser;

laundering money through paypal

• like suceful, it is able to control the card reader device to read or eject the card on demand;

• can disable the local network interface, similar to capabilities of the padpin family;

• uses the sdelete secure deletion tool, similar to greendispenser, to remove forensic evidence; and

• consistently enforces a limit of 40 bank notes per withdrawal, the maximum allowed by the ATM vendor.

New features, capabilities and behaviors in ripper

• targets three of the main ATM vendors worldwide, which is a first; and

• interacts with the ATM via the insertion of a specially manufactured ATM card with an EMV chip that serves as the authentication mechanism. Although this technique has been used by the skimmer family, it is an uncommon mechanism.

Ripper analysis

• MD5 — 15632224b7e5ca0ccb0a042daf2adc13

• ripper persistence — can maintain persistence using either of two modes: as a standalone service; by masquerading as a legitimate ATM process.Laundering money through paypal

Ripper is installed as a service if called with the following arguments:

• service install — before creating the service, it will kill the process dbackup.Exe, which is specific to one common ATM vendor: cmd /c taskkill /IM dbackup.Exe /T /F

It then replaces the original dbackup.Exe binary under c:\windows\system32\ (if present) with itself.

Finally it installs a persistent service with the following attributes:

Ripper can delete dbackup service if run with the following argument:

• service remove

Ripper can stop or start dbackup service with the following arguments:

• service start

• service stop

Ripper also supports the following command line switches:

• /autorun — sleeps for 10 minutes and then runs in the background, waiting for interaction;

• /install — replaces the ATM software running on the ATM as follows:

• upon execution, ripper kills the processes running in memory for the three targeted ATM vendors via the native windows taskkill tool;

laundering money through paypal

• ripper examines the contents of directories associated with the targeted ATM vendors and replaces legitimate executables with itself. This allows the malware to maintain the legitimate program name to avoid suspicion; and

• ripper maintains persistence by adding itself to the \run\fwloadpm registry key (that might already exist as part of the vendor installation), passing the /autorun parameter that is understood by the malware ( figure 1).

• /uninstall — ripper removes the registry keys created

Running without parameters

If ripper is executed without parameters, it will perform the following actions:

• it will connect with the cash dispenser, card reader and the pinpad. Since every ATM brand has its own unique device names, ripper will identify the current devices installed by enumerating them under the following registry key: HKEY USERS\.DEFAULT\XFS\LOGICAL SERVICES\

laundering money through paypal

• ripper will make sure the devices are available by querying their status ( figure 2) and, if they are not available, will exit;

• for the dispenser it will obtain information such as the cash unit details in order to determine the number and type of available notes;

• finally it starts two threads; the first of these monitors the status of the ATM devices ( figure 3) to make sure they are available and will read all the keystrokes received from the pinpad device waiting to interact with the thieves;

• the second thread monitors the card reader, and once a card is inserted it validates the EMV chip for authentication to the ATM malware.

• once a valid card with a malicious EMV chip is detected, ripper will instantiate a timer to allow a thief to control the machine ( figure 4);

• once the thieves start interacting with ripper, they enter instructions via the pinpad and multiple options are displayed, including methods for dispensing currency ( figure 5).Laundering money through paypal

• CLEAN LOGS — clears the log stored at: C:\WINDOWS\temp\clnup.Dat;

• HIDE — hides the malware GUI by calling showwindow() API;

• NETWORK DISABLE — shuts down the ATM local network interface to prevent it from communicating with the bank. It can reenable the connection if needed;

• REBOOT — calls exitwindowsex() API without sending WM QUERYENDSESSION message to avoid prompts for confirmation, causing the system to reboot; and

• BACK — ejects the malicious ATM card back to the thieves by calling the wfsexecute() with the command WFS CMD IDC EJECT CARD. Use of this option ( figure 6), was observed in the suceful family.