ATM malware ‘Tyupkin’ found on over 50 machines in Europe, spreads to U.S.

New malware, called “Tyupkin,” has been used by criminals to withdraw millions in cash from ATM machines running 32-bit Windows platforms – and researchers warn that the threat has continued to evolve in recent months.

Kaspersky revealed Tuesday that Tyupkin was active on more than 50 ATMs throughout Eastern Europe earlier this year, and that the malware appears to have since spread to the U.S. and other countries, including India and China.

The security firm discovered the malware during an investigation, launched at the request of a financial institution, the company said in a blog post. The malware affects machines made by a "major ATM manufacturer" which remains unnamed by Kaspersky and was designed to evade detection through a number of tactics.

Researchers noted that Tyupkin is active only during a specific time at night, and uses a key "based on a random seed for every session,” which allows the attacker to interact with the targeted machine, the post said.

“When the key is entered correctly, the malware displays information on how much money is available in every cassette and allows an attacker with physical access to the ATM to withdraw 40 notes from the selected cassette,” the firm explained.

Fraudsters need physical access to ATMs in order to install the malware by way of a bootable CD.

Kaspersky said that the malware's use of unique session keys keeps “random users” from interacting with infected ATMs. Furthermore, if the wrong session key is entered, Tyupkin disables the local network, most likely to interfere with remote investigations, the firm added.

Researchers noted that most of the malware samples they analyzed were collected in March, but that the malware had evolved since then – in its latest iteration leveraging anti-debugging and anti-emulation techniques and disabling a security solution, McAfee Solidcore. Kaspersky uploaded a video on YouTube demonstrating the attack.

Kasperksy's investigation found that the malware was used to empty cash machines where attackers stole “millions of dollars.”

Analysts have continued to warn the financial sector of evolving ATM attacks, particularly as the deadline for EMV migration in the U.S. looms, meaning fraudsters' dependence on skimming scams to steal funds will no longer suffice.

Last September, for instance, malware, called Ploutus, known for causing money machines in Mexico to spit out money, was discovered. In only a couple of weeks time, an updated English-language version of Ploutus was also discovered by researchers.

“The Tyupkin malware is one such example of attackers moving up the chain and finding weaknesses in the ATM infrastructure,” Kaspersky said in its blog post. “The fact that many ATMs run on operating systems with known security weaknesses and the absence of security solutions is another problem that needs to be addressed urgently.”

To mitigate threats such as Tyupkin, researchers advised financial institutions, and other businesses operating ATMs, to review the physical security of their machines, invest in security solutions and avoid using default master keys provided by vendors, the blog said. Kaspersky noted that the attackers leveraging Tyupkin infected ATMs that didn't have security alarms installed.

In emailed commentary sent to, Jean-Philippe Taggart, senior security researcher at Malwarebytes Labs, said Tuesday that the physical access required in Tyupkin attacks “severely limits what can be achieved" by fraudsters. Still, the malware “attacks the bank infrastructure directly, so while customers' accounts are not being drained, they will feel the pain when the banks transfer the costs of fraud over with higher fees," he continued.

“The larger issue is that the banks still do risk analysis and fraud budgets to evaluate if the problem needs immediate attention, rather than addressing the problem from the get go,” he added.

UPDATE: In Wednesday email correspondence with, Vicente Diaz, principal security researcher at Kaspersky Lab, said that Tyupkin targets ATMs running Windows XP as well as Windows 7.

"We haven't found other models from the [ATM] manufacturer using [a] newer OS, to our knowledge, but in theory it would affect Win8 32 bits too," Diaz added of Tyupkin's capabilities.

"It already targets Windows 7. However, moving to a more secure environment than Win XP is definitely a wise move," he later advised.

Kaspersky has worked alongside INTERPOL, the world's largest international police organization, throughout the Tyupkin investigation. INTERPOL is assisting in ongoing efforts to thwart the threat, Kaspersky said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.