A Russian-speaking Skimer group forces ATMs to assist them in stealing users money. Discovered in 2009, Skimer was the first malicious program to target ATMs. Seven years later, cybercriminals are reusing the malware: but both the crooks and the program have evolved, and this time they pose an even more advanced threat to banks and their customers around the globe.
Imagine this situation: a bank discovers it has been attacked. But, strangely, no money has been stolen, and nothing seems to have been modified in the bank’s system. The criminals have just left. But could this be true?
It was a challenge to find the reason for such unusual criminal activity. But during an incident response investigation, Kaspersky Lab’s expert team cracked the criminal plot and discovered traces of an improved version of a Skimer malware on one of the bank’s ATMs. It was planted there and left inactivated until the cybercriminal sends it a control - a smart way of hiding their tracks.
The Skimer group starts its operations by getting access to the ATM system – either through physical access, or via the bank’s internal network. Then, after successfully installing Backdoor.Win32.Skimer into the system, it infects the core of an ATM – the executable responsible for the machine’s interactions with the banking infrastructure, cash processing and credit cards.
The criminals then have full control over the infected ATMs. But they tread carefully and their actions are skillful. Instead of installing skimmer devices (a fraudulent lookalike card reader over the legitimate reader) to siphon card data, they turn the whole ATM into a skimmer. With the ATM successfully infected with Backdoor.Win32.Skimer, criminals can withdraw all the funds in the ATM or grab the data from cards used at the ATM: including the customer’s bank account number and PIN code.
A scary thing is that there is no way for common people to distinguish infected ATMs. They don’t have any physical signs of being malicious, unlike in cases with a skimmer device when an advanced user can discover if it’s replacing a real card reader of a machine.
Direct money withdrawal from the money cassettes will be revealed immediately after the first encashment, while malware inside ATM can safely skim the data from cards for a very long time. Therefore Skimer guys do not start acting immediately – they are very careful about hiding their tracks: their malware may operate on the infected ATM for several months without undertaking any activity.
In order to wake it up, criminals to insert a particular card, which has certain records on the magnetic strip. After reading the records, Skimer can either execute the hardcoded command, or request commands through a special menu activated by the card. The Skimer’s graphic interface appears on the display only after the card is ejected and if the criminal inserts the right session key from the pin pad into a special form in less than 60 seconds.
With the help of this menu, the criminal can activate 21 different commands, such as dispensing money (40 bills from the specified cassette), collecting details of inserted cards, self-deleting, updating (from the updated malware code embedded on the card’s chip), etc. Also, when collecting card details, Skimer can save the file with dumps and PINs on the chip of the same card, or it can print the card details it has collected onto the ATM’s receipts.
In the majority of cases, criminals choose to wait and collect the data of skimmed cards in order to create copies of these cards later. With these copies they go to a different, non-infected ATM and casually withdraw money from the customers’ accounts. This way, criminals can ensure that the infected ATMs will not be discovered any time soon. And their access to cash is simple, and worryingly easy to manage.
Skimer was distributed extensively between 2010 and 2013. Its appearance resulted in a drastic increase in the number of attacks against ATMs, with up to nine different malware families identified by Kaspersky Lab. This includes the Tyupkin family, discovered in March 2014, which became the most popular and widespread. However, it now looks as if Backdoor.Win32.Skimer is back in action. Kaspersky Lab now identifies 49 modifications of this malware, with 37 of these modifications targeting the ATMs by just one of the major manufacturers. The most recent version was discovered at the beginning of May 2016.
With the help of samples submitted to VirusTotal, we can see a very wide geographical distribution of potentially infected ATMs. The latest 20 samples of the Skimer family were uploaded from more than 10 locations around the globe: UAE, France, USA, Russia, Macao, China, Philippines, Spain, Germany, Georgia, Poland, Brazil, Czech Republic.
To prevent this threat, Kaspersky Lab recommends undertaking regular AV scans, accompanied by the use of whitelisting technologies, a good device management policy, full disk encryption, protecting ATM´s BIOS with a password, allowing only HDD booting and isolating the ATM network from any other internal bank network.
“There is one important additional countermeasure applicable in this particular case. Backdoor.Win32.Skimer checks the information (nine particular numbers) hardcoded on the card’s magnetic strip in order to identify whether it should be activated. We have discovered the hardcoded numbers used by the malware, and we share them freely with banks. After the banks have those numbers they can proactively search for them inside their processing systems, detect potentially infected ATMs and money mules, or block any attempts by attackers to activate the malware,” – commented Sergey Golovanov, Principal Security Researcher at Kaspersky Lab.
Kaspersky Lab products detect this threat as Backdoor.Win32.Skimer.
Read the blog post on the ATM Infector and a story about security issues of modern ATMs on Securelist.com
As this is still an ongoing investigation, the full report has been shared with a closed audience consisting of LEAs, CERTs, financial institutions and Kaspersky Lab threat intelligence service customers. To learn more about this threat and to obtain exclusive access to Kaspersky Lab's repository of all Intelligence Reports, please contact us at firstname.lastname@example.org.