Q
Problem solve Get help with specific problems with your technologies, process and projects.

How does RIPPER ATM malware use malicious EMV chips?

RIPPER malware has been found responsible for the theft of $378,000 from ATMs in Thailand. Expert Nick Lewis explains how this ATM malware works.

FireEye discovered a new ATM malware sample named "RIPPER," which it says is responsible for the theft of approximately...

$378,000 from ATMs across Thailand. How does this ATM malware work, and is there anything vendors can do to prevent more instances?

New ATM malware is starting to become a nonevent due to its prevalence, and it is something ATM manufacturers are already combating currently. It is turning into a constant competition between criminals and enterprise security programs. Unfortunately, ATMs are used in relatively insecure locations and have long lifespans, which makes protecting them over time more difficult.

The FireEye report on the RIPPER malware states that it has similar functionality to previous ATM malware, but is able to attack multiple brands of ATMs. Attackers use a specially manufactured ATM Europay, MasterCard and Visa (EMV) card for authentication; the malicious EMV chip is authenticated by the ATM and delivers the RIPPER malware to the system.

FireEye obtained the RIPPER malware from VirusTotal and analyzed it after they identified commonalities between ATM attacks in Thailand. The RIPPER ATM malware can disable network connections to reduce the chance of network-based alarms, delete logs to reduce evidence of the attack, set itself to look like a legitimate program on the endpoint and control cash dispensing.

ATM vendors can prevent ATM malware infections by using whitelisting. It is unclear why ATMs don't use whitelisting on a widespread basis, since the functionality of an ATM is very limited, and enterprises responsible for the machines should aim to prevent unapproved software from running on the ATMs. Whitelisting doesn't block all attacks, and it can be bypassed, but since ATMs don't run Microsoft Word, that specific bypass shouldn't work.

Enterprises with ATMs could also regularly scan the file system for unapproved files and set an alarm or disable all functionality if the logs are tampered with. 

Next Steps

Learn about the self-deleting ATM malware GreenDispenser

Find out the impact of Conficker malware infections of industrial control systems and supervisory control and data acquisition systems

Discover how SWIFT network communications can be made more secure

This was last published in January 2017

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What protections does your enterprise have in place to prevent malware attacks on ATMs?
Cancel

I did not think it was that easy to use the EMV chip for such a purpose. Maybe this some "inside" help was needed to so they could configure their chips to work?

ATM management and upkeep has lagged behind but vendors and enterprises are now catching up.  Smaller business usually contract to the vendor to manage their ATM's.

Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close