On Aug. 23, 2016, FireEye detected a potentially new ATM malware
sample that used some interesting techniques not seen before. To add
more fuel to an existing fire, the sample was uploaded to VirusTotal
from an IP address in Thailand a couple of minutes before the Bangkok
Post newspaper reported the theft of 12 million baht from ATMs at
banks in Thailand.
In this blog, FireEye Labs dissects this new ATM malware that we
have dubbed RIPPER (due to the project name “ATMRIPPER”
identified in the sample) and documents indicators that strongly
suggest this piece of malware is the one used to steal from the ATMs
at banks in Thailand.
Connection to previous ATM Malware
- Targets the same ATM brand.
- The technique used to
expel currency follows the same strategy (already documented)
performed by the Padpin (Tyupkin),
- Similar to SUCEFUL, it is
able to control the Card Reader device to Read or Eject the card on
- Can disable the local network interface, similar to
capabilities of the Padpin
- Uses the “sdelete” secure deletion tool, similar
to GreenDispenser, to
remove forensic evidence.
- Enforces a limit of 40 bank notes
per withdrawal consistently, which is the maximum allowed by the ATM
New features, capabilities, or behaviors in RIPPER
- It targets three of the main ATM Vendors worldwide, which is a
- RIPPER interacts with the ATM by inserting a specially
manufactured ATM card with an EMV chip that serves as the
authentication mechanism. Although this technique was already used
by the Skimmer family, it is an
Similarities between RIPPER and the recent ATM theft in Thailand
RIPPER can maintain persistence using two modes: either as
standalone service or masquerading as a legitimate ATM process.
RIPPER is installed as a service if called with the following arguments:
Before creating the service, it will kill the process “dbackup.exe”,
which is specific to one common ATM vendor:
cmd /c taskkill /IM dbackup.exe /T /F
Then it will replace the original dbackup.exe binary under
c:\Windows\system32\ (if present) with itself.
Finally it will install a persistent service with following attributes:
RIPPER can delete the “DBackup Service” service if run with the
RIPPER can stop or start the “DBackup Service” with the following arguments:
“service start” or “service stop”
RIPPER also supports the following command line switches:
/autorun: Will Sleep for 10 minutes and then run in the
background, waiting for interaction.
/install: RIPPER will replace the ATM software running on the
ATM as follows:
Upon execution, RIPPER will kill the processes running in memory for
the three targeted ATM Vendors via the native Windows “taskkill” tool.
RIPPER will examine the contents of directories associated with the
targeted ATM vendors and will replace legitimate executables with
itself. This technique allows the malware to maintain the legitimate
program name to avoid suspicion.
RIPPER will maintain persistence by adding itself to the
\Run\FwLoadPm registry key (that might already exist as part of the
vendor installation), passing the “/autorun” parameter that is
understood by the malware, as seen in Figure 1.
Figure 1: Registry key added for persistency
/uninstall: RIPPER removes the registry keys created
Running without parameters
If RIPPER is executed without any parameters, it will perform the
1. It will connect with the Cash Dispenser, Card Reader and the
Pinpad. Since every ATM brand has its own unique devices names, RIPPER
will identify the current devices installed by enumerating them under
the following registry key:
2. RIPPER will make sure the devices are available by querying
their status (Figure 2), and if not available, will exit.
Figure 2: Querying the devices status via
3. For the Dispenser it will obtain information such as the Cash
Unit details to determine the number and type of available notes.
4. Finally it starts two threads; the first of which will
monitor the status of the ATM devices to make sure they are available
and will read all the keystrokes received from the Pinpad device
waiting to interact with the thieves (see step 7), as seen in Figure 3.
Figure 3: Monitoring Pinpad keystrokes
5. The second thread monitors the Card Reader, and once a card
is inserted it validates the EMV chip for authentication to the ATM Malware.
6. Once a valid card with a malicious EMV chip is detected,
RIPPER will instantiate a timer to allow a thief to control the
machine. Figure 4 depicts the timer function.
Figure 4: Monitoring the Card Reader
7. Once the thieves start interacting with RIPPER, they enter
instructions via the Pinpad and multiple options are displayed,
including methods for dispensing currency. Figure 5 depicts some of
the options available to the thieves.
a. CLEAN LOGS: Will clear the log stored at: C:\WINDOWS\temp\clnup.dat
b. HIDE: Will hide the Malware GUI by calling
c. NETWORK DISABLE: Will shut down the ATM local network
interface to prevent it from communicating with the bank. It can
re-enable the connection if needed.
Figure 5: Main Menu
d. REBOOT: Will call ExitWindowsEX() API without sending
WM_QUERYENDSESSION message to avoid prompts for confirmation, causing
the system to reboot.
e. BACK: Ejects the malicious ATM card back to the
thieves by calling the WFSExecute() with the command:
WFS_CMD_IDC_EJECT_CARD. This option, depicted in Figure 6, was
observed being used by the SUCEFUL family.
Figure 6: Asking Card Reader to eject the chip card
Through open sources, we’ve identified a family of malware that may
have been used in recent ATM robberies and which bears some
similarities to known families of malware. This malware family can be
used to compromise multiple vendor platforms and leverages uncommon
technology to access physical devices. In addition to requiring
technical sophistication, attacks such as that affecting the ATMs in
Thailand require coordination of both the virtual and the physical.
This speaks to the formidable nature of the thieves.
This is a Security Bloggers Network syndicated blog post authored by Nick Harbour. Read the original post at: Threat Research Blog