Trend Micro researchers spotted two ATM malware families one of which, Prilex, uses highly targeted attacks to hijack banking applications and another, Cutlet Maker, which is a flexible standalone application for emptying the ATM's safe.
Prilex is one of a few ATM attacks which aim to steal user data as opposed to just stealing the cash inside the machine and is likely used by a cybergang which to monetize bulk credit card credentials, according to a Dec. 14 blog post.
The malware hijacks the banking application, robs user input and card information, and sends this information to its control and command server. It was first spotted in October 2017, is written in Visual Basic 6.0 (VB6), and exclusively targets a single Brazilian bank.
Once a machine is infected, the malware's interface works in conjunction with the banking application so that when the display screen asks the user for their account security code, the screen is replaced by the malware.
Researchers said the malware is unique as it is, to their knowledge, the fist ATM malware that assumes it's connected to the internet. The malware tries to communicate with a remote command-and-control (C&C) server to upload both credit card data and the account security code shortly after it steals a user's data.
Researchers warn a silent attack like this could go unnoticed for months if not years as it would be harder to spot than a “jackpot attack” which emptied out all the money in the ATM.
Cutlet Maker is a more traditional ATM malware in that it looks to empty the machine's safe. The malware is a flexible standalone application that is designed to be run from a USB drive. It's also worth noting the malware technically doesn't infect the ATM. It was spotted targeting Wincor Nixdorf (now Diebold Nixdorf).
The malware is sold on the Russian dark underground with a “per use” license, which is an algorithmic code that generates a number each time the malware runs. Someone was able to reverse engineer the code of the malware and was able to sell the “cracked” version for cheaper.
To prevent attacks, researchers recommend ATMs use mandatory monitoring tools and protections to help prevent attacks from similar malware.