A new malware descent named Alice is lean, mean, and designed solely to empty the sheltered of ATMs.
Researchers at the Los Angeles security software com ny Trend Micro ahead discovered Alice in November 2016. It appears to have been in the impetuous since October 2014.
Alice makes use of several evasive techniques to dodge detection. First, it follows the example of GreenDispenser and other ATM malware in its ruling to use a commercial, off-the-shelf cker/obfuscator. The variant analyzed by Trend Micro old software called VMProtect to ascertain whether the embedded binary is on-going inside a debugger. If the check comes back positive, it displays an misprint message. Otherwise, it moves onto its next technique.
Prior to executing, the malware looks for two registry keys associated with a justifiable Extensions for Financial Services (XFS) environment. Those keys’ presence influences whether Alice displays an authorization window for a PIN code or another by mistake message.
Bias Micro senior threat researchers David Sancho and Numaan Huq laborious on the significance of the PIN code for Alice-based attacks:
“Alice’s user authentication is like to other ATM malware families. The money mules that carry out the affects receive from the actual criminal gang(s) the PIN needed. The first oversight they enter drops the cleanup script, while entering the machine-specific PIN tterns lets them access the operator nel for money dispensing.
“This access jus canonicum canon law changes between samples to prevent mules from sharing the jus naturale natural law and by ssing the criminal gang, to keep track of individual money mules, or both. In our samplers the sscode is only 4 digits long, but this can be easily changed. Attempts to brute-force the sscode settle upon eventually cause the malware to terminate itself once the PIN input limit is reached.”
Access to a PIN previously to to emptying a target ATM suggests Alice is used only for in-person reviles. Infection could proceed by the money mules opening an ATM, inputting a malicious USB or CD-ROM, and direct the malware through a keyboard that connects to the machine’s mainframe.
On one occasion Alice goes live and opens the ATM’s operating nel, money mules can hand-pick any one of the available cassettes and steal money from them at their unhurriedly.
Sancho and Huq correctly note that ATM malware raids are on the rise:
“Up until recently, ATM malware was a niche category in the malware province, used by a handful of criminal gangs in a highly targeted manner. We are now at a headland where ATM malware is becoming mainstream. The different ATM malware families bear been thoroughly analyzed and discussed by many security vendors and these bad hats have now started to see the need to hide their creations from the safety industry to avoid discovery and detection. Today, they are using commercial off-the-shelf ckers; tomorrow we guess to see them start to use custom ckers and other obfuscation techniques.”
All being well, this trend will propel ATM manufacturers to outfit their systems with additional security features. At the same time, financial coalitions that purchase these units can help deter bad actors from imprisoning physical ATM attacks by situating their machines inside and/or in full opinion of a security camera.