Trend Micro security researchers recently discovered a highly targeted piece of malware designed to steal information from automated teller machines (ATMs).
Dubbed PRILEX and written in Visual Basic 6.0 (VB6), the threat was designed to hijack a banking application and steal information from ATM users. The malware was spotted in Brazil, but similar threats could prove as harmful anywhere around the world, the security researchers say.
First reported in October 2017, PRILEX was designed to hook certain dynamic-link libraries (DLLs) and replace them with its own application screens. The targeted DLLs (P32disp0.dll, P32mmd.dll, and P32afd.dll) belong to the ATM application of a bank in Brazil.
Because of this atypical behavior, the researchers concluded that the malware was being used in a highly targeted attack. What’s more, the threat only affects a specific brand of ATMs, meaning that its operators might have possibly analyzed the machines to devise their attack method, Trend Micro explains.
After infecting a machine, the malware starts operating jointly with the banking application. Thus, the malware can display its own fake screen requesting the user to provide their account security code. The code is delivered to the user as part of a two-factor authentication method meant to protect ATM and online transactions, and the malware captures and stores the code.
The malware attempts to communicate with the command and control (C&C) server to send stolen credit card data and account security code. The security researchers believe the malware’s operators might be dealing bulk credit card credentials.
“To our knowledge, this is the first ATM malware that assumes it is connected to the internet. It is likely that this bank’s ATMs are connected, since the attackers seem to be very familiar with this particular bank’s methods and processes,” Trend Micro says.
PRILEX also shows that cybercriminals can analyze the methods and processes of any bank to abuse them in highly targeted attacks. Thus, all financial institutions should take this into consideration when defending their ATM infrastructure, especially since a silent attack as this could go unnoticed for months, if not years.
At the DefCamp conference in Bucharest in early November, Kaspersky Lab’s Olga Kochetova and Alexey Osipov explained how easy it is to create ATM botnets. Discoverable online, these devices are susceptible to a broad range of attacks and infecting a single machine could allow attackers to compromise a bank’s entire network.
“A targeted malware likely took significant time and resources to develop. This shows that in today’s world, criminals consider that a worthwhile investment. Gone are the days when banks were seen as unassailable—now they are simply the biggest fish in the sea. It is not easy to kill a whale, but it is possible—and doing so allows an attacker to eat for a long time,” Trend Micro notes.
CUTLET MAKER gets cracked
In addition to PRILEX, Trend Micro analyzed CUTLET MAKER, a relatively new ATM malware that was first detailed in October this year. A run-of-the-mill program, the malware consists of multiple components and can be run from a USB memory stick connected to an ATM. The malware relies on the Diebold Nixdorf DLL (CSCWCNG.dll) to send commands to the ATM’s dispensing unit.
Designed to empty the ATM of all its banknotes, the malware was found being sold on underground markets for as much as $5,000. However, it appears that competitors have already managed to crack its code, allowing anyone to use it for free.
Each time the malware is executed, a code is required to use the program and empty the ATM. Apparently, the threat doesn’t use time-based codes, but just an algorithm, which means that the same input would generate the same output, and some cybercriminals have already built a “key generator” to automatically calculate the return code.
“The code is available on the internet and relatively easy to find. This means that anybody can start victimizing ATMs without having to pay for the program—or at least ATMs with an accessible USB port,” Trend Micro says.
Thus, some have started selling the malware along with the keygen for much lower prices compared to the original. It appears that the malware’s developers haven’t responded yet, and no new version of the tool that uses a different algorithm has been released.