Tyupkin: manipulating ATM machines with malware

Earlier this year, at the request of a financial institution, Kaspersky Lab’s Global Research and Analysis Team performed a forensics investigation into a cyber-criminal attack targeting multiple ATMs in Eastern Europe.

During the course of this investigation, we discovered a piece of malware that allowed attackers to empty the ATM cash cassettes via direct manipulation.

At the time of the investigation, the malware was active on more than 50 ATMs at banking institutions in Eastern Europe.  Based on submissions to VirusTotal, we believe that the malware has spread to several other countries, including the U.S., India and China.

Due to the nature of the devices where this malware is run, we do not have KSN data to determine the extent of the infections. However, based on statistics culled from VirusTotal, we have seen malware submissions from the following countries:

Tyupkin: Manipulating ATM Machines with Malware
Tyupkin: Manipulating ATM Machines with Malware

This new malware, detected by Kaspersky Lab as Backdoor.MSIL.Tyupkin, affects ATMs from a major ATM manufacturer running Microsoft Windows 32-bit.

The malware uses several sneaky techniques to avoid detection. First of all, it is only active at a specific time at night.  It also uses a key based on a random seed for every session. Without this key, nobody can interact with the infected ATM.

When the key is entered correctly, the malware displays information on how much money is available in every cassette and allows an attacker with physical access to the ATM to withdraw 40 notes from the selected cassette.

Most of the analyzed samples were compiled around March 2014. However this malware has evolved over time. In its last variant (version .d) the malware implements anti debug and anti emulation techniques, and also disables McAfee Solidcore from the infected system.

Analysis

According to footage from security cameras at the location of the infected ATMs, the attackers were able to manipulate the device and install the malware via a bootable CD.

The attackers copied the following files into the ATM:

C:\Windows\system32\ulssm.exe
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\AptraDebug.lnk

After some checks of the environment, the malware removes the .lnk file and create a key in the registry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] “AptraDebug” = “C:\Windows\system32\ulssm.exe”

The malware is then able to interact with ATM through the standard library MSXFS.dll – Extension for Financial Services (XFS).

The malware runs in an infinite loop waiting for user input. In order to make it more difficult to detect, Tyupkin accepts (by default) commands only on Sunday and Monday nights.

It accepts the following commands:

  • XXXXXX – Shows the main window.
  • XXXXXX – Self deletes with a batch file.
  • XXXXXX – Increases the malware activity period.
  • XXXXXX – Hides the main window.

After every command the operator must press “Enter” on the ATM’s pin pad.

Tyupkin also uses session keys to prevent interaction with random users. After entering the “Show the main window” command, the malware shows the message “ENTER SESSION KEY TO PROCEED!” using a random seed for each session.

The malicious operator must know the algorithm to generate a session key based on the seed shown. Only when this key is successfully entered that it is possible to interact with the infected ATM.

After that, the malware shows the following message:

CASH OPERATION PERMITTED.
TO START DISPENSE OPERATION –
ENTER CASSETTE NUMBER AND PRESS ENTER.

When the operator chooses the cassette number, the ATM dispenses 40 banknotes from it.

Tyupkin: Manipulating ATM Machines with Malware

When the session key entered is incorrect, the malware disables the local network and shows the message:

DISABLING LOCAL AREA NETWORK…
PLEASE WAIT…

It is not clear why the malware disables the local network.  This is likely done to to delay or disrupt remote investigations.

Video with a demonstration in a real ATM is available:

Conclusion

Over the last few years, we have observed a major uptick in ATM attacks using skimming devices and malicious software.  Following major reports of skimmers hijacking financial data at banks around the world, we have seen a global law enforcement crackdown that led to arrests and prosecution of cyber-criminals.

The successful use of skimmers to secretly swipe credit and debit card data when customers slip their cards into ATMs at banks or gas stations is well known and has led to a greater awareness for the public to be on the lookout – and take precautions – when using public ATMs.

Now we are seeing the natural evolution of this threat with cyber-criminals moving up the chain and targeting financial institutions directly.   This is done by infecting ATMs directly or direct APT-style attacks against the bank.  The Tyupkin malware is one such example of attackers moving up the chain and finding weaknesses in the ATM infrastructure.

The fact that many ATMs run on operating systems with known security weaknesses and the absence of security solutions is another problem that needs to be addressed urgently.

Our recommendations for the banks is to review the physical security of their ATMs and consider investing in quality security solutions.

Mitigation recommendations

We recommend that financial institutions and businesses that operate ATMs on premises consider the following mitigation guidance:

  • Review the physical security of their ATMs and consider investing in quality security solutions.
  • Change default upper pool lock and keys in all ATMs. Avoid using default master keys provided by the manufacturer.
  • Install and make sure that ATM security alarm works. It was observed that the cyber-criminals behind Tyupkin infected only those ATMs that had no security alarm installed.
  • For the instructions on how to verify that your ATMs are not currently infected in one step, please contact us at intelreports@kaspersky.com. For the full scan of the ATM’s system and deleting the backdoor, please use free Kaspersky Virus Removal Tool (you may download it here).

General advice for on-premise ATM operators

  • Ensure the ATM is in an open, well-lit environment that is monitored by visible security cameras. The ATM should be securely fixed to the floor with an anti-lasso device that will deter criminals.
  • Regularly check the ATM for signs of attached third-party devices (skimmers).
  • Be on the lookout for social engineering attacks by criminals who may be masquerading as inspectors or security alarms, security cameras or other devices on premises.
  • Treat intruder alarms seriously and act accordingly by notifying law enforcement authorities of any potential breach.
  • Consider filling the ATM with just enough cash for a single day of activity.
  • For more advices both for merchants and users please visit http://www.link.co.uk/AboutLINK/site-owners/Pages/Security-for-ATMs.aspx

Related Posts

There are 21 comments
  1. Henry Freyer

    Can you tell me the MD5 hash for this version? I have two different versions that have slightly different screen messages and the hashes are “0xEA671379251CC080407A0DD7211395B3” AND “0X69BE938ABE7F28615D933D5CE55057C”. On your version the screens states “CASH OPERATION PERMITTED. On both of my versions the screen states “”DISPENSE PERMISSION GRANTED”. I have a different hash for one found in Malaysia. “0x700E91A24F5CADD0CB7507F0D0077B26”

  2. Does this attack require physical access ?

    1. Craig

      Yes. The attacker must insert a bootable CD.

    2. Henry Freyer

      Yes. Loaded via CD. I do not have a copy of the CD. The base applications look the same, but there are differences in the two that I have. I have been working on them with IdaPro.

  3. didit dwi

    How about disable an autorun feature and set hdd as the only boot drive? Can it work?

  4. Tyupkin MD5:
    af945758905e0615a10fe23070998b9b
    700e91a24f5cadd0cb7507f0d0077b26

  5. James

    Wow

  6. Tester

    As i see none of the ATM’s will have a CD drive how come a bootable CD is inserted?

  7. Imran

    As it is stated that the Malware infects systems running x32_86 bit operating system, therefore why not use x64 bit operating system. Secure OS file systems from any external manipulation and harden the operating system using best security practices. That should limit the malware from being inititated.

  8. NCR

    I have a suggestion. Make it clear that this requires physical access first. Then that the ATM has a CD/DVD drive and then that the ATM does not already prevent booting from the drive. In addition, learn vocabulary. “on-premise” is incorrect. Look up premise. You mean on-premises. Makes you look dumb.

  9. miss teeray

    If the malware is installed via bootable CD, disabling CD boot in the BIOS and password protecting BIOS access would prevent.

  10. buke

    how can i get that CD? because am i need of it

  11. gangaskan

    or how about remove the CD rom drive, disable all unused ATA / SATA ports, disable all USB ports if possible, and then lock the bios with a strong password and make the pc prone to bios resets at all possible.

    problem solved

  12. Nameski

    Why not insert a BicMac into the CD rom drive filling it with beef and special sauce so that the criminal gang can not insert their cd?

  13. name name

    May you inform about UEFI Extreme Privilege Escalation ?It’s hardware,too……
    One of the dangerous BUGS ever and Mainboard Companys reacts dumb&impudence

  14. Mist

    From reading other articles on Tyupkin and Ploutus they have all stated that these mal hacks have not been seen in the uk London. Well thats about as true as the uk governments pledge to the uk people.

    Ive seen this hack in London with my own eyes.

  15. Slide

    Lets talk I would like the .exe for Ploutus or Tyupkin …im still uncertain of how this works but i would love to test pretty sure i can figure it out once i play around with it…try it on a NYC ATM……if your reading this contact me I may have something you need now or in the future.

    PS: I want that software lets work something out im from America everything is negotiable >> link me on ICQ# 696402282

  16. yersei

    A really very dangerous new threat on your Hardware. Hardware for AMD CPUs.

    Fixed AMD AGESA
    Matroshka processors – AMD x86 SMU firmware analysis
    Rudolf Marek(r.marek@assembler.cz) 31.CCC-Congress 2014

  17. Michaelb

    It really surprises me the effort the banks IT goes to to secure their desktop environment yet atm’s loaded with loads of cash out there vulnerable, lack all of the so called security features needed by the bank to prevent them from being compromised by “ME” there ‘trusted’ employee! On my laptop I cannot use the CD-ROM or USB key and I have tried booting from them which I can’t also. I’m locked out of the bios and my machine uses disk encryption by McAfee endpoint encryption. So even if I was able to boot from USB or cd I could not have written any malware to the operating system. If only they did the same for their ATM assets they would not have been hit, and yes I work for one of the banks hit in KL.

  18. i have this – this is not bootable CD this is Autorun USB you put in ATM

    i have this malware contact me for infos 632291300 or soccorio@jabber.ru

  19. frak

    No comment

Leave a Reply

Your email address will not be published. Required fields are marked *