An updated version of Skimer has emerged. This is malware that was first seen around seven years ago, configured to hack Windows-based cash machines. After infection, it can either dispense cash, or steal card credentials. The new modifications are designed to prevent detection.
On installing, a check is made by the malware to find if the file system is FAT32, or NTFS. If FAT32, the executable is placed in the \System32 directory; if NTFS is found, the malware will write in this data stream to correspond with M/S Extensions for Financial Services (XFS). Kaspersky Lab say that this methodology is probably to obfuscate forensic analysis.
XFS is only employed in ATMs; it provides the application programming interface (API) enabling software – PIN pad communication. Microsoft obviously does not provide public access to these specifications, though a few years ago instructions about the system were leaked from a programmer’s manual onto a Chinese e-book ‘site.
The updated Skimer modifies the XFS executable (SpiService.exe) and loads a component (netmgr.dll). This creates a bridge from the malware to the card reader and PIN pad. Skimer only reacts to certain cards; those with specific data on Track 2. If the card is the right criteria (I.e – the hacker’s card), the malware will open its own interface. If the card is not ‘admin authorized’, it will allow normal ATM procedure and sleep. Once the ‘special’ card has been authorized, the attacker can issue commands such as dispense cash or collect card details or uninstall. This is why the stealth update was required – for endured operation.
Despite the evasive measures that these updates have given the malware, Kaspersky researchers have some ideas about detecting Skimer, ‘One important detail to note about this case is the hardcoded information in the Track2 – the malware waits for this to be inserted into the ATM in order to activate. Banks may be able to proactively look for these card numbers inside their processing systems, and detect potentially infected ATMs, money mules, or block attempts to activate the malware’.
How Skimer and similar bank malware are installed varies. Sometimes it is simply installed by an insider compromise. It can also be booted by opening the front of the machine, if keys are available; the malware can be installed via stolen remote support credentials, and of course, there is the traditional method of hacking the bank’s internal network.
Ways to defend against Skimer, according to Kaspersky are regular scans; use of whitelisting; full disk encryption; securing BIOS with passwords; allowing booting only from HDD and isolation from other internal networks.
It is interesting to note that even with the knowledge of the Chinese leak several years ago, the ATM manufacturer NCR didn’t see this threat coming and try to mitigate it.
