Trend Micro security experts have recently found a new strain of ATM malware, called Alice, created to target the safes of the ATM machines. The new threat is very essential, it doesn’t implement data stealing capabilities and cannot be controlled via the numeric keypad of the ATM.
The Alice ATM malware was first registered in November 2016 as part of a joint research project on ATM malware with Europol EC3, however, the researchers speculate that is has been around since 2014.
Being noticed for the first time, the experts thought that Alice was a new version of the Padpin ATM malware. Nevertheless, after analyzing the threat further, the researchers found the new malware family – Alice.
“Trend Micro has discovered a new family of ATM malware called Alice, which is the most stripped down ATM malware family we have ever encountered.” states the analysis published by Trend Micro.“Unlike other ATM malware families, Alice cannot be controlled via the numeric pad of ATMs; neither does it have information stealing features. It is meant solely to empty the safe of ATMs.”
The experts stated that the hackers should physically access the ATM in order to empty its dispenser, a circumstance suggesting that Alice has been designed for money mules.
“The existence of a PIN code prior to money dispensing suggests that Alice is used only for in-person attacks. Neither does Alice have an elaborate install or uninstall mechanism – it works by merely running the executable in the appropriate environment,” the researchers claim.
According to the security experts, the Alice ATM malware can also be used via Remote Desktop Protocol (RDP), however there is no evidence of such use yet.
Being executed, Alice creates in the root directory an empty 5 MB+ sized file called xfs_supp.sys and an error logfile called TRCERR.LOG. The first file is filled with zeros and doesn’t contain data, and the second one (TRCERR.LOG) is an error log file used by the Alice malware.
The log file traces any XFS API calls and related messages/errors. This file remains on the machine even when the malware is removed, likely for future troubleshooting or simply because the vxers forgot to remove it.
The experts noticed that the malware only connects to the CurrencyDispenser1 peripheral and doesn’t include the code to use the PIN pad, likely it was designed to allow hackers with a physical access to the ATM to infect it via USB or CD-ROM.
“It only connects to the CurrencyDispenser1 peripheral and it never attempts to use the machine’s PIN pad. The logical conclusion is that the criminals behind Alice need to physically open the ATM and infect the machine via USB or CD-ROM, then connect a keyboard to the machine’s mainboard and operate the malware through it.” the analysis continues.
The Alice ATM malware included a commercial, off-the-shelf packer/obfuscator called VMProtect. The malware implements some particular features in order to avoid the researchers’ analysis and prevent the execution in environments which are not ATM and debuggers.
The Alice malware supports the following three commands each issued via specific PINs:
Drop a file for uninstallation.
Exit the program run the uninstallation/cleanup routine.
Open the “operator panel,” to see the amount of cash available into the ATM.
During the infection, the money mule enters the ID of the cassette ID for the ATM to dispense the money in it. The dispense command is sent to the CurrencyDispenser1 peripheral via the WFSExecute API.
Usually, ATMs have a 40-banknote dispensing limit, meaning that cyber criminals should repeat the operation multiple times to dispense all the stored cash in the cassette.
As Alice malware has no persistence method, the hackers manually replace the Windows Task Manager (taskmgr.exe) with the threat. Any command which would invoke the Task Manager, would invoke Alice malware instead.