ATM Malware Steals Cash and Self-Destructs without a Trace

Security researchers have discovered a new ATM malware, titled GreenDispenser, that is currently operating in the wild and grants hackers the means to simply walk up to an infected machine and withdraw cash.

The revelation came to light thanks to researchers at security firm Proofpoint, who aptly coined the malware ‘GreenDispenser’.

The complete detail of the discovery can be found here.

In uncovering the malware and making the news public via a blog entry, Thoufique Haq, a security researcher at Proofpoint wrote:

“GreenDispenser provides an attacker the ability to walk up to an infected ATM and drain its cash vault,” he said.

When installed successfully, the malware puts up an “out of service” message on the ATM screen, leaving it ripe for hackers to drain the ATM’s vault.

Attackers who enter the correct PIN codes are granted access to the ATM’s cash before erasing GreenDispenser with a ‘deep delete’ process, wiping out any evidence that the ATM was compromised.

Related post: Banking Cybercriminal Gang Dismantled by Europol

“Initial malware installation likely requires physical access to the ATM, raising questions of compromised physical security or personnel,” wrote Haq in the blog post.

Presently, Proofpoint has evidence of the ATM exploit taking place in the wild in Mexico. Furthermore, the security firm adds that there are no geographical restrictions that would hamper the same malware exploit technique to occur in other countries and regions around the world.

A Deliberate, Clever Operation

It is very likely that the malware was operated using a mobile application via a QR reader to generate a PIN that could then be used with the ATM.

Explaining the process, Haq wrote:

“GreenDispenser employs authentication using a static hard coded PIN, followed by a second layer of authentication using a dynamic PIN, which is unique for each run of the malware. The attacker derives this second PIN from a QR code displayed on the screen of the infected ATM.

“We suspect that the attacker has an application that can run on a mobile phone with functionality to scan the barcode and derive the second PIN – a two-factor authentication of sorts.”

Proofpoint confirms that GreenDispenser has the means to target ATMs set up by multiple vendors due to its implementation of the XFS middleware standard. The XFS standard is commonly adopted by most ATM providers.

The security firm also added that the malware installation initially requires physical access to the ATM, and this raises questions of malicious insiders at banks and compromised physical security dealing with replenishing the ATMs’ vaults.

Furthermore, the samples of malware inspected by Proofpoint were specifically coded to work in the year 2015 in the months preceding September. Such a systematic, pre-programmed setup proves the clandestine nature of the operation to completely avoid detection.