FireEye discovered a new ATM malware sample named "RIPPER," which it says is responsible for the theft of approximately...
$378,000 from ATMs across Thailand. How does this ATM malware work, and is there anything vendors can do to prevent more instances?
New ATM malware is starting to become a nonevent due to its prevalence, and it is something ATM manufacturers are already combating currently. It is turning into a constant competition between criminals and enterprise security programs. Unfortunately, ATMs are used in relatively insecure locations and have long lifespans, which makes protecting them over time more difficult.
The FireEye report on the RIPPER malware states that it has similar functionality to previous ATM malware, but is able to attack multiple brands of ATMs. Attackers use a specially manufactured ATM Europay, MasterCard and Visa (EMV) card for authentication; the malicious EMV chip is authenticated by the ATM and delivers the RIPPER malware to the system.
FireEye obtained the RIPPER malware from VirusTotal and analyzed it after they identified commonalities between ATM attacks in Thailand. The RIPPER ATM malware can disable network connections to reduce the chance of network-based alarms, delete logs to reduce evidence of the attack, set itself to look like a legitimate program on the endpoint and control cash dispensing.
ATM vendors can prevent ATM malware infections by using whitelisting. It is unclear why ATMs don't use whitelisting on a widespread basis, since the functionality of an ATM is very limited, and enterprises responsible for the machines should aim to prevent unapproved software from running on the ATMs. Whitelisting doesn't block all attacks, and it can be bypassed, but since ATMs don't run Microsoft Word, that specific bypass shouldn't work.
Enterprises with ATMs could also regularly scan the file system for unapproved files and set an alarm or disable all functionality if the logs are tampered with.
Learn about the self-deleting ATM malware GreenDispenser
Find out the impact of Conficker malware infections of industrial control systems and supervisory control and data acquisition systems
Discover how SWIFT network communications can be made more secure
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Cisco Talos' Thanatos ransomware decryptor can recover files affected by new ransomware that won't decrypt ransomed files even when a ransom has been... Continue Reading
A phishing campaign targeting Trezor wallets may have poisoned DNS or hijacked BGP to gain access. Learn how the attack worked and how to mitigate it... Continue Reading
Okta researchers found a bypass that allows macOS malware to pose as signed Apple files. Discover how this is possible and how to mitigate this ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.