A new family of ATM malware, dubbed ATMii, is using legitimate proprietary libraries and a small piece of code to cause the machines to spit out money and targets older Windows versions.
The malware was first spotted in April 2017 and was described as being y straightforward, consisting of only two modules including an injector module and the module to be injected, Kaspersky researcher Konstantin Zykov said in an Oct. 10 blog post.
“To use this malware, criminals need direct access to the target ATM, either over the network or physically (e.g. over USB). ATMii, if it is successful, allows criminals to dispense all the cash from the ATM,” Zykov said in the post.
The injector is an unprotected command line application, written in Visual C with a compilation timestamp dated Nov. 1, 2013, however, researchers believe the timestamp is fake.
Zykov said the best countermeasures against attacks using the malware are to use default-deny policies and device control to prevent criminals from running their own code on the ATM’s internal PC and to prevent them from connecting new devices, such as USB sticks.