Researchers from Kaspersky Labs warn that the Skimer malware, first spotted in 2009, is once again infecting ATM machines worldwide. An improved version of Backdoor.Win32.Skimer has been discovered infecting machines worldwide. The new Skimer allows criminal access to card data, including PIN numbers, as well as to the actual cash located in the machine.
The malicious installers use the packer Thermida to disguise the Skimer malware which is then installed on the ATM. If the ATM file system is FAT32, the malware drops the file netmgr.dll in the folder C:\Windows\System32. If the ATM has an NTFS file system, netmgr.dll is placed in the executable file of the NTFS data stream, which makes detection and analysis of the malware more difficult.
Unlike other skimming malware programs, like Tyupkin, which becomes active in a specific time frame and is awakened by a ‘magic code’, Skimer may lie dormant for months until it is activated with the physical use of a ‘magic card.’ The magic card gives access control to the malware, which then offers a list of options that are accessed by inputting a choice on the pin pad. The user can request the ATM to:
- Show installation details;
- Dispense money – 40 notes from the specified cassette;
- Start collecting the details of inserted cards;
- Print collected card details;
- Self delete;
- Debug mode;
- Update (the updated malware code is embedded on the card).
A video showing what criminal access to an ATM using malware might look like was created by Kaspersky:
Kaspersky has identified 49 different modifications of Skimer, with 37 of those targeting a single manufacturer of ATM machines. The original Skimer was one of the first examples of malware that allowed direct interaction with ATM machines. Using malware was more difficult to detect than physical attachments to ATMs that were used previously for theft of cash and data.
VirusTotal analyzed some of the new Skimer data and found that it was uploaded from ATM machines in 10 different countries: UAE, France, USA, Russia, Macao, China, Philippines, Spain, Germany, Georgia, Poland, Brazil and the Czech Republic.
Kaspersky recommends that banks keep an eye out for ‘magic card’ information, which will show up on their processing logs and can help to detect potentially infected ATMs. They also recommend undertaking safety procedures including full-disk encryption, isolating ATM networks from other bank networks, along with a good device management policy.