INJX_Pure

INJX_Pure is a rather unique representative of the subset of malware that targets ATMs and is used for jackpotting attacks (hacks that force the ATMs to start dispensing cash). While most threats of this type are created to target as many machines belonging to as many banks located in as many countries around the world as possible, INJX_Pure takes the opposite approach. Upon analyzing its underlying code, the researchers discovered that INJX_Pure was designed to attack a small subset of ATMs that belonged to a specific bank. The first samples of this threat were uploaded from Mexico and later from Colombia.

To carry out the attack, INJX_Pure manipulates the XSF (eXtensions for Financial Services) interface, which is used to support the basic functions of the ATM. In addition, however, INJX_Pure also exploited the bank's proprietary software. Researchers strongly believe that the hackers had managed to breach the bank's security protocols and infiltrate the network the ATMs connect to because INJX_Pure cannot be controlled through the ATM's keyboard or touchscreen and instead it receives commands from a self-crafted HTTP server Web interface.

After injecting itself into the targeted device, the malware generates a message in Russian, Portuguese, Spanish, and Chinese, that can be translated to "Freedom and glory." Another line in Russian saying "separate" also is present, but researchers believe that this is a false lead to point towards Russian-based hackers because it is not a native way to use this specific word.

The next step in INJX_Pure's operations is to start an HTTP server that only accepts commands in the form of predefined URLs. Depending on the received command, the malware can force the ATM to start dispensing money, load a specified .jar file, allow access to a list of all running classes for the attached Java virtual machine and run user code on the targeted device.