Credit card skimming malware targeting ATMs

From time to time, because they know I work for SophosLabs, my friends ask me about different malware types and forward me warnings of alleged malware outbreaks, which often turn out to be just standard hoax emails.

If anybody asked me a couple of days ago about malware targeting cash machines I would be fairly sure they have received another hoax message and try to reassure them. I would tell them that there are no malware samples targeting ATMs and that infecting ATMs with malicious program to steal credit card details and PINs would be a very difficult job.

I would also add that:

  • ATMs often run non-standard operating systems
  • Even if they run Windows, it would be a customized build of Windows Embedded
  • ATMs use specialised and undocumented hardware and software interfaces and reverse engineering is a difficult job
  • ATMs are usually on a private isolated network so malware would not be able to reach them easily
  • Physical access is possible but there are many sensors to detect that the device is accessed without the master key

Even though it is possible to compromise cash machines with malware, the “return on investment” is much higher on standard desktop information stealing malware so if anybody decides to attack ATMs it must be highly targeted and most probably an insider job. ATM attackers are commonly known to use specialised hardware devices – credit card skimmers, in combination with webcams to capture credit card numbers together with PIN information, not malware.

Yesterday however, a good friend of mine who works for a bank contacted me with a similar question.

He had heard some rumours about compromised cash machines in Russia infected with a Trojan that captures credit card details and distributes the captured details to attackers.

I decided to check in our malware database to see if there are any samples that reference Diebold, the manufacturer of ATMs allegedly targeted and found 3 recently acquired files. They all looked similar but there was nothing obvious to be picked up by our automated analysis systems which would automatically classify them as malicious.

The main executable is a dropper with the drop object stored in one of the PE resources, as often is the case with Trojan droppers. The code stops and modifies the Protected storage service to launch the dropped file lsass.exe from the Windows folder, not the original one in Windows System folder and attempts to replace some files belonging to the software used by ATMs.

The main Trojan executable contains the code to handle the magnetic card reader using undocumented Diebold Agilis 91x functions, inject code to ATM’s processes, parse transactions in Ukrainian, Russian and US currencies and use printer, probably for printing the stolen data. I am also fairly sure that some of the instructions to the keyboard for typing PIN numbers are connected with hooks to log the captured PINs.

Skimer code

By uncovering code that appears to encrypt data and a possible alternative user interface it seems to me that the stolen data is encrypted, probably to allow the attackers to use “money mules” to retrieve the data in person.

This also indicates that attackers require physical access to cash machines to install the Trojan. Overall, the malware seems to be a work of a programmer with a good knowldege of the internals of Diebold ATMs.

Despite finding real credit card skimming samples I do not believe that malware attacks on ATMs will become mainstream.

I hope I am right, though I will also do some research to find out which ATM models have the smallest physical footprint, in case we need to order one to analyse more ATM malware in the future!

Sophos products detect these Trojans as Troj/Skimer-A.

Further reading: Is there malware in your ATM? and More details on the Diebold ATM Trojan horse case from Graham Cluley’s blog.