Alice malware unlocks ATMs.
Alice malware unlocks ATMs.

A new malware family, dubbed Alice, has been detected that is solely focused on making ATMs spit out cash.

Unlike other ATM malware families, the "stripped down" malware does not enable attackers to control operations via the numeric keypad of ATMs and it does not contain information-stealing characteristics. Rather, it is designed solely to cause ATMs to give up their cash, according to Trend Micro, which first detected the malware last month.

Explaining that there have only been eight unique ATM malware families detected over the past nine years, the researchers said this new find is "remarkable because it shows a clear tendency for malware writers to attack an ever-increasing variety of platforms."

Malware attacks on ATMs have increased over the past three years because that's where the money is, wrote David Sancho and Numaan Huq, the co-authors of the report and both senior threat researchers at Trend Micro.

Looking at PE compilation times and Virustotal submission dates, the researchers determined that Alice has been in the wild since at least October 2014.

Seeking particular registry keys to determine it is running on an ATM, the code first verifies that it is running within a proper Extensions for Financial Services XFS environment. It then connects to the CurrencyDispenser1 peripheral, the default name for the dispenser device in the XFS environment, the report explained. During this process, it is not issuing any commands that would establish a connection with other ATM hardware, which denies the attackers the ability to issue commands via the PIN pad.

But, after a correct PIN code is entered, Alice opens the "operator panel," a screen that displays the cassettes inside the ATM in which cash is stored. "When the money mule inputs the cassette number in the operator panel, the CurrencyDispenser1 peripheral is sent the dispense command via the WFSExecute API and stored cash is dispensed," the report said.

The researchers conclude that because of Alice's focus on attacking only the money safe via the CurrencyDispenser1 peripheral, the miscreants behind the malware are required to physically open the ATM in order to download the code via a USB or CD-ROM and then attach a keyboard to the device's mainboard to operate the malware.

Further, the researchers believe the code has been created to run on "any vendor's hardware configured to use the Microsoft Extended Financial Services middleware (XFS)."

The cyberthieves' use of obfuscation illustrates that they are becoming more sophisticated in their strategies, they said. "Today, they are using commercial off-the-shelf packers; tomorrow we expect to see them start to use custom packers and other obfuscation techniques."

ATM malware has been around for nearly 10 years, Peter Nguyen, director of technical services at LightCyber, told SC Media. "The new BKDR_ALICE.A strain is perhaps less sophisticated and potentially damaging as previous ATM-specific malware."

He points to the necessity of having physical access to an ATM's USB port or CD-ROM drive. "That obviously limits how broadly it can be deployed, since ATMs are in public places and covered by video surveillance cameras."

But, he explained, another way to infect ATMs with this or other malware is through the bank's network. "In this case, a cybercriminal must gain access to a bank's network, explore it and figure out how to get to subnetworks connecting ATMs and then move laterally to gain access."

This cyber sleuthing is standard procedure for most any network attack, he said, regardless of whether an attacker is trying to steal healthcare data, personal details, intellectual property or business secrets. 

"Most enterprises lack the ability to detect an active attacker at work on a network, but larger banks tend to have the best chance of spotting an intruder since they typically have much larger security operations teams and are armed with more tools," Nguyen told SC Media. "Network-driven ATM malware seems to be rare. It offers a much bigger payoff for a cybercriminal, because it can readily scale to many ATMs and does not have the risk involved with physically compromising an ATM to gain access to its computing hardware."

At the same time, he added, it would be difficult to pull off, at least in larger banks, and that accounts for not seeing this type of attack. "Sophisticated attackers that can successfully conduct a network-based ATM attack could vastly elevate this kind of threat. Banks need to be increasing their network detection capabilities with newer behavioral analytics to ensure that a network attack would not be successful.”