ATM Users May Soon Face More Malware

CERT-LatestNews ThreatsStrategic

By: David Sancho, Senior Threat Researcher at Trend Micro and Juan Jesús León, Product and New Development Manager of GMV Secure e-Solutions

Trend Micro and GMV – an industry expert on ATM security – presented last week in London, during ATMSec, a conference focused on the topic. Our presentation was on a very interesting and forward-looking topic: “The future of ATM malware.” On other occasions, we had talked about how ATM malware has been evolving over time. This time around, though, we hypothesized how this kind of malware may evolve in the mid-term.

Juan Jesús León and David Sancho created a model of the current ATM malware landscape based on how each of the families we know about is able to attack.

They then clustered them in two main groups with clearly defined features:

  1. Families involved in network attacks tended to be relatively simple malware.
  2. Families that had a physical component tended to be more complex and had measures to further the criminals’ business plan.

In summary, since ATM attacks coming from the network have more possibilities to disable security on the ATM endpoints, the malware or tools used were simple in nature. The reason is that those attacks had already overcome quite a few hurdles in order to arrive to their final setup, so the actual ATM infection was a mere tool to monetize all the criminals’ previous intrusion efforts: these tools were just a means to tell the ATM to dispense money.

On the other hand, physical intrusion usually requires that the machine be unprotected in order for the attack to be effective. If this is not the case, the malware usually has additional capabilities, like turning off the network or other advanced features. On top of this, the criminals implement measures to prevent stand-alone members of the criminal gang to go rogue and start victimizing more ATMs on their own. This lack of trust between developers and money mules necessitates more complex malware and additional features besides simply dispensing cash.

What can we expect in the future in this burgeoning malware field? GMV and Trend Micro put forth two possibilities:

  1. The materialization at some point of a malware creation kit that would allow developers to ‘customize’ malware according to each attack. Such a kit would generate different malware, which could then be resold to other criminal gangs to fit their own individual needs depending on who the target bank might be. This would continue the increasing complexity of physical ATM malware we are currently seeing.
  2. The appearance of an open-source tool to dispense malware that would-be bank hackers could add to their tool arsenal. Such an open-ended tool would be the final rung in the ladder of a bank’s corporate network intrusion and could be used whenever the hackers have found a way to install malware on to the ATMs. Why open source? We hypothesize that given the simplicity of the tool, that would be a great way for the criminals to hinder further investigation on the machines. Since the tool would be publicly accessible, there would be no more clues left behind in those very sensitive machines. Truly evil.

These two predictions may or may not come to pass but they do make sense, given the current state of the ATM malware landscape. GMV and Trend Micro have put a lot of thought into these predictions and given the shared experience between both companies in the field, we believe stakeholders in these projects should take them into account when protecting these environments. Don’t say we didn’t warn you.