Tyupkin: Manipulating ATM Machines with Malware
This new malware, detected by Kaspersky Lab as Backdoor.MSIL.Tyupkin, affects ATMs from a major ATM manufacturer running Microsoft Windows 32-bit.
The malware uses several sneaky techniques to avoid detection. First of all, it is only active at a specific time at night. It also uses a key based on a random seed for every session. Without this key, nobody can interact with the infected ATM.
When the key is entered correctly, the malware displays information on how much money is available in every cassette and allows an attacker with physical access to the ATM to withdraw 40 notes from the selected cassette.
Most of the analyzed samples were compiled around March 2014. However this malware has evolved over time. In its last variant (version .d) the malware implements anti debug and anti emulation techniques, and also disables McAfee Solidcore from the infected system.
According to footage from security cameras at the location of the infected ATMs, the attackers were able to manipulate the device and install the malware via a bootable CD.
The attackers copied the following files into the ATM:
After some checks of the environment, the malware removes the .lnk file and create a key in the registry:
"AptraDebug" = "C:\Windows\system32\ulssm.exe"
The malware is then able to interact with ATM through the standard library MSXFS.dll – Extension for Financial Services (XFS).
The malware runs in an infinite loop waiting for user input. In order to make it more difficult to detect, Tyupkin accepts (by default) commands only on Sunday and Monday nights.
It accepts the following commands:
XXXXXX – Shows the main window.
XXXXXX – Self deletes with a batch file.
XXXXXX – Increases the malware activity period.
XXXXXX – Hides the main window.
After every command the operator must press "Enter" on the ATM's pin pad.
Tyupkin also uses session keys to prevent interaction with random users. After entering the "Show the main window" command, the malware shows the message "ENTER SESSION KEY TO PROCEED!" using a random seed for each session.
The malicious operator must know the algorithm to generate a session key based on the seed shown. Only when this key is successfully entered that it is possible to interact with the infected ATM.
After that, the malware shows the following message:
CASH OPERATION PERMITTED.
TO START DISPENSE OPERATION -
ENTER CASSETTE NUMBER AND PRESS ENTER.
When the operator chooses the cassette number, the ATM dispenses 40 banknotes from it.