From your PC to your nearest ATM: a history of the sneakiest financial malware

so you guys knew that there is a TMO right like malware specifically created for ATM machines who here was aware of this kind of malware right everybody and my first hint was I moved back to Ireland like 2006 and when I lived in Spain all of those terminals were like the old kind of terminals like a s400 mainframe kind of ATMs you remember those in green you look really really old and when i move to ireland suddenly I saw you know like Windows environments in the ATM and you could suspect that there was a ATM with windows because you could see every now and then these errors no and all of the security specialists back then and I'm talking

about 2005-2006 we all said wow this this is going to spell doom this is just going to be a disaster any time and yet we started seeing the disaster happening like a couple years ago not before so for me is we were surprising you know from 2006 I've been expecting it's like it's going to happen is going to happen is going to happen there's going to be something big and only now we're seeing it and yeah it is really becoming mainstream is it something to worry yet I mean do you guys need to be worried when you go to the next itm to retrieve money that the fearing that your data is going to be picked up

probably not yet right Ben it happens often body when it happens well I'm space neither all right so but when it happens it makes it to the media and now I'll show examples of instances when attacks of this have happened and you really hear it I mean they happen every now and then I wonder when they happen boo everybody knows this is another example this is a more recent one this one I love it you know it's just system from the UK you know if you don't see it there it says your password has expired please change it okay yeah how do i change that and verse three reasons we believe that this trend has been picking up lately these

three reasons I we believe that it's a that the main core of the question right the y1 is that the bad guys they have no problem attacking exotic platforms and I mean exotic with quotes right because it this is not really excited we're talking windows right but windows with different hardware with different stuff they have no problem like 10 years ago you wouldn't see that many attacks on strange platforms right now they're taking on like POS that's points of sale those that's strange the special devices we're seeing mobile hardware being attacked wissing all sorts of how we're being attacked now ATM is a bit more difficult right because you know if I want to attack an Android I just get a

hold on Android and it studied what do they do with their ATMs well they're doing that precisely that they just take an ATM steal it still the whole thing all we see in that you know i'll tell you later about the story of an arrest and when they took over the guys you know they went into the house the police arrested them the house and the house of course it had all sorts of development devices and stuff and then to ATMs 280 digits picked up the athens bring them home and start analyzing and seeing what's in there what the protections are what they look like what kind of architecture they're using their doing that so right now this is one of the

things that the bad guys are doing is just you know they're very bold i need to attack that Oh pick it up and study it so they're very bold the second one is that they're dealing with windows XP mean XP it's from 2001 so we're talking about a 15 year old more than that almost 16 year old operating system so the guys at this point of very skilled are doing everything with our windows XP that that's pretty good for them and the third reason is that Microsoft and I'm not pointing that fingers I think Microsoft did a good thing microsoft created something called the extended financial services which is some sort of middleware API that makes

the bank's lives much easier it means that in order for a bank to develop hardware not software for the ATM and communicate with the special devices that ATMs are they just need to communicate with that middleware and that middleware communicates directly with the hardware so the bank needs to just when you configure an ATM install this XFS layer so that it communicates up rapidly with with a card reader with the cassettes and then the money with a camera with the alarms if it has everything is abstracted if there is an abstraction layer so that the program only needs to use those api's it's like okay retrieve the pin code that's it that's great right because the

developers for them is just calling an API and they don't care if the if the brand of the ATM is a or b or c they just don't care they just make a one single API call now the developers a boon they're very happy the bad guys super happy because they better need to care about what the underlying hardware is ok give me the give me that whole track to data from the from the car that the user just plugged in all in great just you know really really good XFS has been great advance for developers for the banks greater than for developers of of malware and now we're at that point at a dud junction where everybody is

very happy except for the banks because they're seeing these attacks massively I mean not very optimal would they happen they are amazing and you'll see examples of that later so as shocking as it is the way in to an ATM is usually this so the guy walks near an ATM normally it's going to be one that is not in the bank right in a mall or some isolated area some sort of 7-eleven in the back they just open with a special key those keys are usually not not unique so it's the same key that opens the whole bunch of ATMs for the whole network they just open access the main board and then they access either the USB or they access the

CD reader so they put a CD boot the machine and boot into a special XP or in a special windows environment then they mount the whole system as a unit and then they modify it because you know that the windows XP the original windows XP from the machine is not running it's another separate machine which means that they can modify it will they can just add staff so that the next time it reboots the machine is infected so I CCS that we're seeing that with CDs DVDs and we're seeing that with USBS so they just plug in a pendrive reboot the machine infected that nothing it looks super complicated right but of course the guys are you know minimally good at

this so they have managed to script this so the whole operation takes about five minutes so you just need to just open plug-in reboot the scripts run okay reboot again close the machine is infected now we'll see what happens with the machine is infected which is pretty unusual but this is the way I mean amazing now of course I have to tell you that there's another way in another possible way in which is if you manage to take over the network of the bank then you could jump into the special network normally they're protected by VPS right so you could manage to if you have the right credentials to jump through the network it has happened

but this is much easier I mean if the guy is at the right key and normally the keys are just the round kind that just open and and that's it right then and what the guys do is they look at banks that have this protection and they just open one jackpot the whole machine go to the next one in the same neighborhood do it again do it again do it again they spend the whole weekend doing this millions of pounds you dollars whatever and then they go home so super easy for from their point of view now what they want it's already mentioned you know that parting the machine just you know machine give me everything they check

all the cassettes the money cassettes and they manage to empty the whole machine that's the most obvious one but it's not the only one why because this one it's a one-off you only get one chance you empty the machine whatever normally these machines will have between 100 150 thousand euros a pop which is see these in the money money right not bad now the other one it's a virtual skimming you know what skimming is right skimming is putting a device on top of the ATM so that when the user puts in the pain and the card then those devices pick up the track data and pick up the pin code because the the user is skiing

ring over the fake keyboard now if you have control over the whole system then you might as well put a keylogger that does all that and the advantage the advantage of that is that the bank is not going to notice because of course if I jackpot the Machine the bank notices it was like wow a machine is empty and i have no transactions something's wrong they send a technician they put that machine off the network and they probably destroy the machine it lasts for one day it's a one it's a one one trick and that's it now if you manage to the virtual skimming to put a keylogger that that locks every single transaction then

the bank doesn't know you can have these things going on forever and then every every day every week or every month the guy just gets the machine okay these are the logs from the latest transactions then he clones those credit cards and then sells them away this is happening so both we have Jack potting and we have virtual skimming both going on at the same time and I'll go for the families there aren't that many so this is not a not a major issue right number one is this the granddaddy this is the oldest one so when I said 2006 we didn't think actually from 2009 sky mer came along sky mer is a it was Jack

boring back then and it was it was found in Russia and the Ukraine so you think this probably in eastern european origin right that's what we thought right it's just attacking debolt this was way before XFS before the extent of financial services from microsoft and and of course it had to target this specific API from one vendor the vendor that was attacked and this time is debolt so only diebold ATMs were affected and are affected by this thing this is the granddaddy but still alive and kicking we are seeing still this stuff in the wild with different modifications a little bit more developed but this thing is out there still and you'd think ok this is Eastern

European right not so much in 2011 then we saw the same code base but instead of just doing Jack potting it's doing virtual skimming it stays there it waits for the bad guy to come with a special card he inserts the card and then he gets into a special menu and among the things in the menu it's put everything you have locked into the car it dumps all of the credit cards into the card and then the guy steps away with a card that card has a dump of everything every transaction that has happened from than 80 m then the guy of course sells those credit card numbers in the in the underground and so we have to code bases 2009 clearly

clearly jackpot in Russia in the Ukraine 2011 only virtual skimming but this was found in Brazil and Brazilian in Mexico so it's very South American why is it very South American because in the installation routines all those special strings like name you don't have privileges you have you need the root privileges to install everything is in Spanish everything so you think Ukrainians haven't made this so you might think mainly some code base originally from the Ukraine made it into you know somehow somewhere in Latin America and the Latin Americans have started have continued development maybe it's to anyone's guess I have no idea this is we believe right now is a being developed in Latin America but we have

no idea and we're seeing it to this day in fact I have some some samples that are received that I need to check out and i think that there's more stuff like the latest ones they're using alternate data streams which is you know to hide files i have no idea why i guess that they're fearing that the banks are seeing it but the banks they have a hard time because a normal bank will have a network of thousands and thousands of ATM so they cannot send a technician even once a month even once a year just to check if something's up unless there's an alarm they don't check those machines so but it's being developed so

number two we have Protus and this is again found in 2013 imagine the leap 2009 2011 then 2013 no work from 2009 from the granddaddy we're only seeing the second one pretty recently 2013 so this is picking up now plotters the only objective is Jack potting so it only takes cash no virtual skimming no logging anything and again since this is from before the API the XFS API it aims only at one vendor which is NCR now I would not be amazed if something surfaces that is FLOTUS for Diebold or pluto's for any other window it may be we only have seen this and what we have bear in mind that we have a very hard time getting those samples

because either they delete themselves at some point and then you can get to them or if the bank is lucky enough to get those samples they don't necessarily share it with us so we have a hard time seeing samples I'm only seeing sample from NCR so I have to assume that these guys are only targeting NCR why probably because it's very calm in Latin America Latin America and CR and evil apparently in Mexico at least the very common clearly Latin American and the nice thing about this one I don't know how they came with this idea right but it supports not only a menu which when it's infected the bad guy gets a menu right

and on screen he can take retrieve all the money give me everything he hears everything but it also supports commands through SMS which means that the bad guys have to hook and a phone into the into the machine put it in close the machine and then at some point text so that it gets some money now the bad guys probably thought okay this is great because we can reuse and reuse and reuse every time by sending text and then tomorrow they fill it up and then we empty it again doesn't happen I mean the bank see this is like out how this ATM is out of the network and they bring it home so of course even though it

might seem like a good idea it's actually giving more hints to the police as to who's behind right because you're leaving behind more stuff with fingerprints and with stuff so mmm it's a nice idea you should goes to show that the guys are developing and their creative but nothing much more I mean it's interesting not really useful for them number three and again South America we know it's South America because we're seeing it in South America it might come from somewhere else but we think it's South America it's been dispenser I don't know who names these things bring this Minister so this one was first found in 2015 you're seeing how most of them have been found 2015 on your 3 2016

too so it's picking up speed right now in this in this last few months and we expect the future to be like women much more because the guys are seeing that this is relatively simple it's not that difficult and they're starting to develop this so the banks need really to spruce up here this one is very similar cash but with a big difference this one uses XFS because this is relatively recent the sample that we ah it seems to be targeting only wincor nixdorf which is another ATM vendor but through XFS it means that it uses those parts of XFS that are specific to wink or installations so you know it's it's different we're seeing that there's more development

here like the guys to me even though it uses a different programming language than the previous dump Lotus it looks similar so it's not crazy to think that it's either a span of subgroup from the previous one or perhaps a rival gang you know the another gang there's all these ones are doing it I'm doing it too because it brings a lot of money it may be and clearly Latin America somewhere in Latin America so I'm I said South America but I should have said Latin America because a lot of them are in Mexico so Mexico technically is North America but Latin America and we understand each other now these are this is for the Latin American part you can

see a thing going on there right there must be a few gangs there there are operating pretty much in the same way it might be the same gang developing three branches diebold for NCR m4 wincor nixdorf it might be rival gangs they might not not even know each other we have no idea the fourth one it's a departure from the from these ones the fourth one they call the neo pocket was found by a consultancy firm in Spain because they have a lot of customers in Latin America and it was found in Central America of all places and it was this is very specific so this thing only attacked debo machines because that's what we found it but it knew exactly the

protection software that the machine had so the ATM was protected by a wide listing application so it knew how to accept make an exception of itself of the of the malware into the internet this particular knowing the path knowing everything of this specific machine these guys who found it a very find it because it had an expiration date so this thing had like a campaign a particular amount of time I think it was like six months and after six months you would delete itself so it was super targeted even knew exactly what kind of ATM they were going to what kind of protection software it was running everything and it was also limited in time and this is just purely virtual

skimming so he was just gathering data only there was no money involved so this thing could have lived there it probably did live there for the full amount of time imagine all of those ATMs from this particular Bank for the full six months living there and you know gig getting getting getting data you know anybody is subject to that we think that it had some some amount of insider knowledge right it doesn't happen by chance either they the bad guys paid somebody to know all the exact protection and all the installation or some insider did it itself himself you know it may be it may be and in any case this is a this pretty scary because if

you tell this to banks it dawns on them the notion that they could have any amount of ATMs infected by this kind of things and they would have no idea no idea and no way of knowing other than just stepping into the ATM and and checking if there's something else something strange running which is really not not doable right if you have like five thousand ATMs throughout the country you cannot send a technician to all of them just to run some process and let's see if process explorer find something it is not doable again Latin America now number five we call it Pat pin most of them called it pat pat pin pin pad the other way

around I don't know who comes up with his name's really 2014 and it was seen in in Russia isolated parts of Russia objective is purely cash it's only just chat pod and give me the money and it only aims NCR i'm pretty sure that it also aims there's versions way Matt other at other vendors but the ones we've seen it say NCR purely Eastern Europe now there's another name for this out there we called tube Caen now the interesting thing about this one if you notice this is the only one that hints at Eastern European origin right but the interesting didn't think about this one is that the arrests that have been made by law

enforcement agencies I've been here right and you see that the bad guys are actually actually licensing the software to gangs the gangs are taking the money risking themselves getting arrested in the process some of them but the developer is nowhere to be seen we have no idea who the developer is but it's clearly Eastern European because of you know there's stuff in Cyrillic inside and we started seeing it in Russia way way in 2014 and funny thing is that you know that the developer it's selling it or licensing it to others now how do how do the developers know Hank how can they control the spreading of this thing right that these guys don't give it to somebody else now

the licensing there you go the licensing works this way and this is this is a tendency among all of them so the web works is the guy in front of the Machine opens the machine in facts closest and then they have a special menu and then the first thing that the malware does is say okay give me a special key now the guy has no idea what the special key because it's time based its time dependent so the guy has to go the boss of the gang and say hey what's the time what the one was that was the key okay the key right now it's black give him a small little string and then only then they can take

the money so the guy controls exactly who's retrieving the money and how much money that's the way they control it so it's some sort of licensing scheme that these guys have which is kind of funny if you think about I mean even the bad guys don't trust each other which honor among pirates right here so em I'll put examples of a pattern because this is the one that has been not technically research technically they're not super complex other than that you need an ATM if you really want to run things with the ex FS and everything we don't have an ATM then it just doesn't run right but you can suspect you look at the code and you can suspect it

technically you can get a look at the code without without much problem now law enforcement have have been able to get these guys and I'll show examples later it's really really cool now number six it's from August 2016 and this one we have no idea it's it's pretty new so it's just cash it was a one attack one big attack in in Thailand back in August if you're if you want to New the news this kind of news it was pretty pretty big back then the guys just you know sweet a lot of ATMs in in one weekend and managed to get a lot of money no idea there's no hints inside the only thing that I of course is not tight I

would not believe that it's ty by the model I'd say Eastern European and i'll tell you why later in the next slide but as the only hint that we have here is that in the code it's one misspelling cassette you see that it's missing a tee normally cassette should have to tease so either the by the guy is very bad speller or he's portuguese exactly portuguese or brazilian so that's the only hint it may be we have no idea now the model this model that that were hinting here are going to one country sweeping a bunch of ATMs and going back home a country totally unrelated to your own country it's been used in pat pin and this is

the example this is the guy that was a that was arrested right so oh this was an attack in the to the UK it was one weekend it was one holiday you know that the UK whenever there's a holiday they move it to Monday's they don't have you know just to allowed not to allow people to have very long weekends they're nasty that way so on a holiday weekend so was our extended weekend three days back in 2014 the guys went over London and around London so a couple of neighborhoods around London so 1.6 millions in a weekend of pounds another pound 2016 2014 was more than it's worth today just you know a lot of money just a lot

of money in one single weekend now the soca does the law enforcement agency in the UK they were investigating this stuff they had no idea you know how to go about it they got a hint and that this guy was was on to it they followed him they arrested the guy and the guy just entered the UK from somewhere else he was not even from the UK so that was the first hint no somebody's licensing this pad pin thing they were teaching them how to do it so they were like some sort of no instructions or training or whatever and then the little gang would go to one unrelated completely unrelated country and you just attack get all the

money get into the night plane and go back home this guy I think he was a his George n but he was based in Romania or moldova or somewhere in Eastern Europe not not Russia on the Ukraine so that was the model that was the first hint of the model now the same thing happened in Malaysia again same kind of like Thailand ah I was telling you earlier right this was verified that this is pat ping so they went to Malaysia they took a lot of money and went back home now we were not sure who it was but I heard this data this this fact right the same guy here Grigori Pilate was in Malaysia the same

weekend that the attack up it's not demonstrated that it's him but you know it looks likely and so Kuala Lumpur that's uh that's the police Malaysian police is telling you this stuff is very small so I'm going to blow it up a bit we believe that he continued his crime spree he the criminal in several countries before fleeing to London he went to London of course and morphed like this has happened in United Kingdom Russia Malaysia Germany and Canada so none of these attacks and having made it to the news but you know Malaysian police is telling us that they have happened so i don't know if i have happen but apparently they have so these

guys are acting exactly in that way the same people is just going to one country sweeping money going back home that's what i was saying that even though i have no idea who the Ripper number six the author was or or the gang behind was but it looks very much in line with this kind of strategy so i would say it looks Eastern European I can't say but it looks now january 2016 the romanian police arrested the whole gang one whole gang that was doing this in romania that was in january so they went to the house and they saw the whole thing and everything and they arrested the whole the whole gang it was like seven people in both i seem

to believe and the whole gang there was no developer there was no development here happening at all all right and so there was no development the guys were just licensing the software they were just getting it from somewhere the doing getting the training knowing how to attack performing the attack i'm going back home so that was another hint now as many arrests as we can get here we see that these guys are moving a lot they're moving through the Russian underground of the Russian speaking on the ground but they are not the developers themselves the developers themselves are not exposing or not getting exposed

and I'm actually was with that all right

all right I'm actually worse with this because I move a lot so I usually finish this one giving recommendations

maybe it's me I track the waves here all right giving recommendations to to others normally the recommendations are pretty straightforward right everybody in the security industry the first thing you you you notice about this is physical security don't use those keys that one single key can open the whole network it just doesn't make sense now it might seem obvious to us but it's not so obvious to banks why because if it's difficult to have one guy go to the middle of you know whatever countryside location and open imagine how difficult you would be if every single one of those ATM had a different ones a different key it would mean that they would have to go to a central location

where all the keys are go to the ok pick one this for the street a and then go to a three day open it and then go back to the potential location and put it there and with central locations we're talking about different countries I'm in different cities and in the same country so it would make their logistically their work that much more difficult so I understand that but still insists it's not very good so physical security I would say also if you don't need a USB USB port in the main board don't pull will USB port just you know it's not it honestly is not needed cd-dvd do you really need that you need to make it bootable probably

not right offline security refers to exactly that all those measures that can be taken offline right the firmware you know don't make don't make the bios accessible don't make any external devices bootable pretty obvious to us right for them you would mean if you have a 10,000 or 5,000 ATM network going to each one of them and established policies that takes money that takes effort so until it happens more and their width in the bought a couple of times and like oh I lost 1.6 millions actually I'm going to start a new policy here it will start happening and of course online security you know put your VPNs which are probably already there firewalls you name it anything that is on top of

the operating system once the operating system has booted whitelisting solutions they're there they're being used there's no guarantee because if you can boot from a separate operating system then it doesn't matter how many firewalls and I TAS and I pas and it doesn't matter because you own the system so this is for by ordinal of importance I would go first for physical then offline and then online a big one for instance would be to have the operating system or the whole disk encrypted so that even if you boot from outside then you won't be able to mount it and modify stuff so there'll be a big one I understand it's a huge pain in the

ass for them but I think it would be you bring a lot of very good security and and this is pretty much my message you know ADM our exists so do we need to be concerned about it we as users not so much you know we are security industry as a curiosity so far the financial industry definitely you bet they near ially need to be in double this you know they really do that's pretty much it thanks very much I

do have time for questions right sure

scarier so um at the end of the day that the vendor they just create the case and put the hardware and it's up to the bank to do all that stuff so you could you can't do it that way definitely you can but even though those those things exist for practical purposes they're not going to be implemented in every case why I'll tell you why because when you have an ATM in house in the bank then normally it has a camera the alarm and everything but when you set up an ATM which is isolated in the middle of a mall or better known in some vendor in some 7-eleven somewhere if you put an alarm

the 7-eleven guy is going to be like what happened I have no idea what to do it doesn't matter what would it do I mean in five minutes that's precisely I mean it's not impossible and in fact a lot of times it is implemented but precisely the atms that they're targeting are the ones who are most likely to be unattended so even if there was such an alarm in those remote locations they would never reach in time like five minutes I get to my menu Cole what's the number here's a number how many cassettes how many how much money give me everything i set a everything does that be everything is etsy grab the money out

yeah and they even have in those menus they have an option of secure deletion so delete everything so it deletes itself and it leaves no remnants so the bad guys I mean that the bank knows that something has happened they go there they try to do some forensics they don't see anything they don't get any samples so that's why it's so rare for me to get samples I'm really struggling sometimes I suspect that there are samples like those Pluto's I would suspect very strongly that there's a version of Pluto's that attacks wincor nixdorf or or any other vendor and I'm not seeing no but yeah definitely the hardware definitely supported implementation down to the bank yeah

there was a question over there right he talked about the virtual skimming style of a technique and I want to know to call if clarify something the target there is just a great car numbers right because when you dial your your PIN the key is exempted in hardware so it's impossible to get the pin for EMV yes for EMV it's the encrypted be a PIN pad I say so many times bad pain that's something pin pad it is then create pin pad so what happens is that there's an encrypted version of it so you enter your PIN and that's a that's encrypted so the the Pad encrypts it sends it somewhere to the to a central

location in a database and then it says yes or no yes so you cannot pick it up yes you would only get the whole track one track track 2 and tracked yes so this is the target is it's the credit card numbers there's no EMV so imagine in the US then that might anything that is encoded in might be so the pin is okay okay you're right you can think I've seen that that question before you Tori right okay thank you hello I got a very specific question you said the developers themselves for licensing the software to the to the Rings right so I would they what did they use them as a password so

was it something like Google Authenticator that will generate a one-time password or something like that you see I don't know why this didn't come up right do you see this this the licensing it's this on a site right and on that story this is a this has been seen by some consultant in Russia in a Russian underground is this is the the advertisement from whoever selling tube tube keypad people yet I thought you is about five thousand dollars to encrypt I thought you were able to take a look at the sample of that code so that was like well licensing we don't really know how their life okay which one of the guys what we know is how each gang is able to

control the food soldiers in front of the Adrian so those are those codes are usually completely random ish kind of like time-based let me show you an example of one of them yeah that will they would think a secret with the computer and generated through the machines local time is not very pretty but it's some sort of base base64 thing so that guy would see that that's a QR code that QR code the codes to this thing this thing if it's a if you do base64 straight it doesn't work I mean it's just bites it's probably not that so I think that it's uh either custom base 62 force or the alphabet has been scrambled or maybe its bits and bytes I

have no idea but the guy the guy just gives a screenshot this is what I'm seeing is the input so you don't leave him there cuz you know stuff that to me doesn't make sense yeah there has to be some sort of special app on the phone that they use they pick this up and then the other guy returns sometime base coat okay right fix by the way this originally is not there just put it there just to show what it decodes to okay you mentioned that the banks can't go to every single ATM to check what what is running their process explorer and the like but can't they aren't ATMs connected to network and the bank

connects to the atms and somehow i'm assuming they aren't rootkits that can intercept the things that they can see but are the that are these banks trying to read remotely deformation of TTM so I don't work for a bank so i can't really know so this is absolutely bank specific some banks I know for a fact that they have very complex systems of managing ATMs down to even seeing whether they've been compromised or the if the disk encryption is still running and running fine and there are some completely and managed so it comes down to the budget on back if they have more budget and they want to spend they are products some smaller banks they might not have

the money or they you know they haven't seen themselves as likely targets at this kind of theft so they're not spending it so the possibilities are there all of them are using them definitely not that's why when you see one of these attacks happening it happens to normally the the weakest the weakest protected back mm-hmm I think there was some more than

all right thank you guys you