RIPPER malware suspected behind $350K Thailand ATM heist, report

RIPPER shared several traits with previous variants of ATM Malware but it also includes new features and capabilities.
RIPPER shared several traits with previous variants of ATM Malware but it also includes new features and capabilities.

FireEye researchers dove into the inner workings of the RIPPER ATM malware which they believe allowed a pack of cyberthieves to make off with a jackpot worth 12 million baht ($350,000 U.S.).

At first glance, RIPPER shared several traits with previous variants of ATM Malware but it also includes new features and capabilities, some of which were a first including the ability to target three of the main ATM vendors worldwide, according to an Aug. 26 blog post.

“It uses the same code for the three platforms that interacts with the XFS Middleware,” FireEye Senior Staff Malware Researcher Daniel Regalado told SCMagazine.com via emailed comments. “That is possible since the XFS Middleware is a standard supported by all ATM vendors.”

Another new feature is in how the malware interacts with the ATM by inserting a specially manufactured ATM card complete with an EMV chip which serves as an authentication mechanism. Despite its use by the Skimmer malware family, researchers said it is an uncommon mechanism.

Researchers compared similarities between RIPPER and the ATM theft in Thailand noting that a sample of the malware was uploaded to VirusTotal from an IP address in Thailand just a few minutes before the Bangkok Post reported the theft of 12 million baht from ATMs, the post said.

According to public sources, the ATMs were physically accessed by the thieves in August 2016, there was consistency in the ATM brand affected, open sources reported that the malware disconnected the ATMs from the network and the malware sample requires an ATM with an EMV chip reader.

The researchers' analysis of Ripper found the sample was submitted from Thailand, contained a PE timestamp of July, 10 2016, there was consistency in the brand affected, and the malware also required an ATM with an EMV chip reader.

“This malware family can be used to compromise multiple vendor platforms and leverages uncommon technology to access physical devices,” researchers said in the post. “In addition to requiring technical sophistication, attacks such as that affecting the ATMs in Thailand require coordination of both the virtual and the physical.”

The suspects in the heist are believed to be behind similar ATM thefts in Taiwan reportedly fled Thailand after stealing the 12 million baht from a state-run bank.

“I think these heists will continue in those countries that still have those old Windows XP ATM Machines running the affected ATM Vendor software,” Regalado said.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS