Kaspersky Lab reported that the ATM Malware which targets automated teller machines is being sold on the underground markets for $5K.
The malware called CUTLET MAKER, is being sold as part of a kit which consists of a password generator and a Stimulator. The Stimulator is an application which can steal information on the status of cash cassettes in a target ATM, such as currency, value, and the amount of notes.
The researchers from Kaspersky Lab found the forum post advertising the malware in May 2017. According to the experts, the offer was first published on AlphaBay, a darknet marketplace which was closed this summer.
The advertising post includes information on the required equipment and targeted ATM models, alongside tips and tricks for the malware’s operation, as well as part of a detailed manual for the toolkit.
The researchers noticed that the “Wall ATM Read Me.txt” manual had been distributed as a plain text file, however, according to the experts, it was written in poor English and with bad text formatting.
The text contained grammatical mistakes and slang which lead to a Russian author, and the malware’s name suggested the same thing (Russian slang term “Cutlet” means “a bundle of money”).
The Kaspersky Lab researchers say that the crimeware kit is a collection of programs probably written by different authors, but the same protection was used for both CUTLET MAKER and Stimulator. There is also a simple terminal-based application called c0decalc which hasn’t been protected at all.
According to the experts, the malware’s functionality suggests that two people should be involved in the theft – a “drop” and a “drop master”.
“Access to the dispense mechanism of CUTLET MAKER is password protected. Though there could be just one person with the c0decalc application needed to generate a password. Either network or physical access to an ATM is required to enter the code in the application text area and also to interact with the user interface,” the security experts state.
The Kaspersky Lab team discovered different versions of the main component, with the first known version submitted to a public multiscanner service in June, last year.
“This type of malware does not affect bank customers directly, it is intended for the theft of cash from specific vendor ATMs. CUTLET MAKER and Stimulator show how criminals are using legitimate proprietary libraries and a small piece of code to dispense money from an ATM,” the Kaspersky experts say.
The countermeasures against this type of malware attacks include default-deny policies and device control, the first of which prevents criminals from running their own code on the ATM’s internal PC.
Kaspersky Lab claims that hackers using this malware might have had physical access to the computer, most probably via USB drives used to install the malware onto the system.
