ATMRIPPER

ATMRIPPER is a threat infection designed to attack ATMs. ATMRIPPER has several characteristics that have attracted the attention of PC security analysts. ATMRIPPER was observed originating from an IP address in Thailand only minutes before the news were reported that 12 million Baht had been taken from ATMs belonging to Thai banks. The name ATMRIPPER comes from a project name identified in a sample of ATMRIPPER uncovered by malware analysts. It is highly likely that this malware threat was the one used in the high-profile attack in Thailand recently.

ATMRIPPER and Its Connections to Other ATM Threats

ATMRIPPER seems to have several connections with previous ATM threats. ATMRIPPER targets the same ATM brand as several other previously known threats. TMRIPPER uses a technique to obtain money from ATM that is also used by PadPin (Tyupkin), GreenDispenser and SUCEFUL. ATMRIPPER is similar to this last threat in that it can control the Card Reader on the infected ATM to read or eject cards based on commands from the people controlling ATMRIPPER. ATMRIPPER is similar to PadPin in that it can disable the local network interface. ATMRIPPER is similar to GreenDispenser in that it uses the 'sdelete' secure deletion tool to remove all traces of the attack from the infected machine.

Apart from the similarities listed above, ATMRIPPER also includes several new features that have attracted the attention of PC security analysts. ATMRIPPER targets the three principal vendors of ATMs currently active around the world. ATMRIPPER interacts with the targeted machine by inserting an ATM card that was specially created to include an authentication EMV chip. This is not a common approach, although it was also observed in attacks involving the Skimmer family of threats previously.

The Features that Make ATMRIPPER a High Profile ATM Threat

ATMRIPPER can persist on the infected ATM as a standalone service, as well as by impersonating a real ATM memory process. ATMRIPPER can be installed as a service on the infected ATM and will take steps to kill the memory processes used by ATMs belonging to the three principal vendors that could interfere with the ATMRIPPER attack. ATMRIPPER can replace legitimate executable files often found on these ATMs with a renamed version of itself, which can help it evade detection. Once installed on the targeted ATM, ATMRIPPER can monitor the Card Reader to detect a card with the corrupted EMV chip; when this card is inserted, ATMRIPPER allows the con artist to control the ATM. Instructions are entered using the Pin Pad. ATMRIPPER gives con artists several options:

1. ATMRIPPER allows these people to clean the logs of the targeted ATM machine.
2. ATMRIPPER can hide its graphical user interface immediately.
3. ATMRIPPER can disable the local network interface, which prevents the infected ATM from establishing a connection with the bank.
4. ATMRIPPER also can reboot the system and eject the threatening card.
5. Of course, ATMRIPPER allows third parties to control the infected ATM, withdrawing money and carrying out other operations without needing to have a valid card.

ATMRIPPER Represents a Real Threat to ATM Vendors

It is clear that ATMRIPPER has been involved in recent thefts on ATMs, including the high-profile attack in Thailand. Although ATMRIPPER has similarities with known ATM threat families, the fact that ATMRIPPER can attack ATMs belonging to multiple ATM vendors and that it uses unfamiliar approaches in its attack makes ATMRIPPER a particularly worrying threat to ATM vendors and banks. This says a lot about the group involved in the ATMRIPPER attacks. This is a sophisticated threat that requires coordinating coding with physical aspects in the attack that require substantial resources and knowledge. It will be a challenge for PC security researchers and ATM vendors to ensure that existing and future ATMs are protected from ATMRIPPER and any attacks that could stem from the appearance of this ATM threat adequately.