GreenDispenser ATM malware with added 2FA


What if you could just walk up to an ATM machine and rob the bank right there? What if you also used two factor authentication to stop other robbers doing the same? That’s what Proofpoint researchers have discovered is happening with GreenDispenser ATM malware.

Attacks on hole-in-the-wall cash machines are not new, and neither is the technology the bad guys are attacking. That’s the problem. Towards the end of last year, Kaspersky Labs identified malware called Tyupkin that was able to directly attack an ATM and empty the cash cassette of specific machines running a 32-bit Windows OS. Tyupkin required physical access to the machine, a bootable CD had to be inserted to load the malware, however, once infected it gave access to cash at certain times on specific days. Obviously such access to the ATM back-end suggests an inside job, and investigations back then showed only ATMs without active secure alarms were being infected.

Brian Krebs has interviewed a security compliance director for one of the biggest manufacturers of ATMs, NCR, whose machines were at the centre of malware attacks in Malaysia last year where thieves stole upwards of US $1 million. In that interview, Owen Wild (the chap concerned) said that “attacks are occurring on standalone, unattended types of units where there is much easier access to the top of the box” and “you don’t have to be an ATM expert or have inside knowledge to generate or code malware for ATMs.” Read the full interview for context, but those two statements alone are worrying enough right there. No wonder the bad guys are looking to the hole-in-the-wall for some relatively easy money.

Fast forward a year and Proofpoint researchers have published details of a new ATM malware campaign that they have called GreenDispenser. This works in much the same way, in that it requires physical access to install and enables a thief to walk up, type in, and walk away with cash. Lots of cash.

GreenDispenser infected machines will display an out of service message, but the attacker can bypass this by entering the right codes. Even better for the thief, and a lot worse for the machine provider, the whole process can be wiped using a ‘deep delete’ system that leaves little in the way for investigators to trace back. Currently the attacks appear to be limited mainly to Mexico, although India is implicated as well, and appears to be able to target hardware from multiple vendors as long as they use the XFS standard adopted by large numbers of them.

There are thousands and thousands of vulnerable ATMs in place. At $20k-$30k per machine, this could be a valuable attack

The GreenDispenser infections uncovered by Proofpoint were all limited in operation, with a coded-in requirement for live infection only before September 2015 after which it would be deactivated.

This could be to limit the chances of being caught, or simply because the gang were testing the real world practicalities of the malware. Interestingly, Proofpoint suspects the attackers have a portable app running on a smartphone that can act in a similar way to a two-factor authentication device when activating the ‘dormant’ infected machine. This two-factor element distinguishes GreenDispenser from earlier ATM malware families; specifically, it requires a static hard-coded PIN to be entered, followed by a dynamic PIN unique to each malware run and derived from a QR code displayed on the screen of the infected machine. This, Proofpoint suggests, is how the attack gang ensures that only an ‘authorised’ attacker can steal any money.

Proofpoint researchers believe they are seeing “the dawn of a new criminal industry targeting ATMs with only more to come” and that in order to stay one step ahead financial institutions “should re-examine existing legacy security layers and consider deploying modern security measures to thwart these threats.”

IT Security Thing this afternoon asked Kevin Epstein, VP of Threat Operations at Proofpoint, how commonplace he thinks ATM malware is right now.

“There have only been a few ATM malware discoveries in the past few years” Epstein told us, continuing “such discoveries are rare. It’s not clear if that is a reflection of the prevalence of the malware, or the sophistication of the attacks, as the malware is designed to delete all traces of itself. Since this is not the type of attack that is typically widely reported, we have no exact numbers. There are thousands and thousands of vulnerable ATMs in place. At $20k-$30k per machine, this could be a valuable attack.”

So have the banks and other financial institutions dropped the security ball when it comes to these legacy ATM systems? “Cyberattacks in all industries continue to evolve at a rapid pace. Good security requires constant vigilance and re-examination of systems in place,” Epstein concluded. “Just as is the case in the physical world, obsolescence happens; cutting-edge security of a few years ago is no longer cutting-edge. When attempting to defend against modern cyberattacks, legacy security… isn’t”