Alert of a ‘malware’ capable of extracting cash from ATMs
The cybersecurity company Kaspersky Lab has detected a ‘malware’ specializing in the infection of PCs used for the operation of ATMs. This virus was on sale in the AlphaBay ‘darkweb’ market, along with a complete tutorial with instructions to make it work.
Through a statement, the Russian firm has warned that ATMs are still “very lucrative” for cybercriminals, since the infection of these devices with ‘malware’ facilitates the handling of cash from inside.
Although these malicious tools have been in circulation for a long time, Kaspersky Lab has stated that the creators are investing “amount of resources” in making this ‘malware’ available to other criminals less familiar with computers.
Thus, the cybersecurity company detected at the beginning of this year, through one of its partners, a ‘malware’ hitherto unknown and that presumably had been developed with the intention of infecting the PCs that are used so that the tellers can perform its function.
The analysts of the Russian firm found in AlphaBay, a very popular place of the ‘darkweb’, an advertisement that described a type of ‘malware’ for ATMs and that coincided with the wanted element. This announcement revealed that this virus belonged to a ‘kit’ of commercial ‘malware’ created to obtain the money stored in the ATMs.
A public message from the vendor contained not only the description of the ‘malware’ and instructions on how to get it, “it also offered a detailed guide on how the ‘kit’ should be used to carry out attacks, with instructions and even video tutorials.” .
According to the results of the investigation, it was seen that the set of ‘malware’ was formed by the ‘software’ Cutlet Maker, which serves as the main module responsible for communication with the cash dispenser; the c0decalc program, designed to generate passwords and make Cutlet Maker work, as well as protect it against unauthorized use; and the Stimulator application, which saves time for criminals thanks to the identification of the situation of the cash boxes or containers, as well as the identification of those with the greatest amount of money.
To start stealing, the criminals need to have direct access to the inside of the ATMs and thus be able to connect a USB device with the ‘software’. As a first step, the criminals install Cutlet Maker. As there is a protected password, they use the cOdecalc program, installed on another device.
This key is a kind of copyright protection, installed by the authors of Cutlet Maker to prevent other criminals from using it for free. After the code is generated, the criminals enter it in the Cutlet Maker interface and initiate the extraction of funds.
Cutlet Maker has been in the market since last March 27, although according to Kaspersky Lab, analysts had already begun to follow it in June 2016, when it was identified in a public multiscan service in the Ukraine, but later new cases arrived from other countries.
It is unknown if the ‘malware’ had been previously used, but the instructions included in the ‘kit’ contained videos that were presented by their authors as real proof of their efficiency. It is also not known who is behind this ‘malware’, but the language, grammar and style errors in the ‘kit’ texts suggest that their potential sellers are people whose native language is not English.
Kaspersky Lab security analyst, Konstantin Zykov, explained that Cutlet Maker does not require the criminal to have an advanced or professional computer technical knowledge, which allows the ‘hacking’ of an ATM “to go from being a sophisticated offensive operation to Another illegal way to steal money, and available to virtually everyone who has a few thousand dollars to buy the ‘malware’. “
In that sense, Zykov added that it is “a potentially very dangerous threat to financial institutions”, because while it operates, this program does not find any element of security that prevents it.
To protect ATMs, Kaspersky Lab specialists have recommended security teams of organizations that implement by default a “very strict” denial policy, allow control mechanisms that restrict the ATM connection of any unauthorized device and use a specific security solution.