The malware allowed criminals, with physical access to ATMs, to steal millions, Kaspersky revealed.
The malware allowed criminals, with physical access to ATMs, to steal millions, Kaspersky revealed.

New malware, called “Tyupkin,” has been used by criminals to withdraw millions in cash from ATM machines running 32-bit Windows platforms – and researchers warn that the threat has continued to evolve in recent months.

Kaspersky revealed Tuesday that Tyupkin was active on more than 50 ATMs throughout Eastern Europe earlier this year, and that the malware appears to have since spread to the U.S. and other countries, including India and China.

The security firm discovered the malware during an investigation, launched at the request of a financial institution, the company said in a blog post. The malware affects machines made by a "major ATM manufacturer" which remains unnamed by Kaspersky and was designed to evade detection through a number of tactics.

Researchers noted that Tyupkin is active only during a specific time at night, and uses a key "based on a random seed for every session,” which allows the attacker to interact with the targeted machine, the post said.

“When the key is entered correctly, the malware displays information on how much money is available in every cassette and allows an attacker with physical access to the ATM to withdraw 40 notes from the selected cassette,” the firm explained.

Fraudsters need physical access to ATMs in order to install the malware by way of a bootable CD.

Kaspersky said that the malware's use of unique session keys keeps “random users” from interacting with infected ATMs. Furthermore, if the wrong session key is entered, Tyupkin disables the local network, most likely to interfere with remote investigations, the firm added.

Researchers noted that most of the malware samples they analyzed were collected in March, but that the malware had evolved since then – in its latest iteration leveraging anti-debugging and anti-emulation techniques and disabling a security solution, McAfee Solidcore. Kaspersky uploaded a video on YouTube demonstrating the attack.

Kasperksy's investigation found that the malware was used to empty cash machines where attackers stole “millions of dollars.”

Analysts have continued to warn the financial sector of evolving ATM attacks, particularly as the deadline for EMV migration in the U.S. looms, meaning fraudsters' dependence on skimming scams to steal funds will no longer suffice.