GreenDispenser ATM Malware Deletes Itself after Each Heist

Security researchers are warning of a new strain of ATM malware designed to allow hackers to completely drain a cash point of money and leave virtually no trace of how they did it.

GreenDispenser is similar to the Padpin trojan discovered a couple of years ago, but with a few key differences, according to security vendor Proofpoint.

It’s coded to run only if the date is earlier than September 2015, “suggesting that GreenDispenser was employed in a limited operation and designed to deactivate itself to avoid detection.”

The malware is also designed to require a static hardcoded PIN to authenticate the attacker. It then features a second dynamic PIN unique to each run of the malware.

Proofpoint continued:

“The attacker derives this second PIN from a QR code displayed on the screen of the infected ATM. We suspect that the attacker has an application that can run on a mobile phone with functionality to scan the barcode and derive the second PIN -- a two-factor authentication of sorts. This feature ensures that only an authorized individual has the ability to perform the heist. In addition, GreenDispenser has the capability to perform a deep delete after the heist to prevent forensic analysis and IR investigations.”

GreenDispenser can only be installed on an ATM with physical access, which could indicate that security staff or other banking personnel have colluded with the hackers.

It also follows other ATM malware in using the widely adopted XFS middleware to interact with the pinpad and cash dispenser, Proofpoint said.

So far attacks have only been spotted in Mexico, although the vendor argued it’s “only a matter of time” before the same techniques are seen in ATM malware campaigns worldwide.

ESET security specialist, Mark James, argued that ATM malware is getting more sophisticated and widespread, despite the risk of getting caught.

“Because most ATMs are just computers these days they are of course subject to the same vulnerabilities or exploits that can affect us all. Financial organizations will need to look not only at the hardware used to dispense cash, but also the security of the software sat on it,” he told Infosecurity.

“As we all know, if software is used to make it, then software can be used to break it, and there’s no shortage of people willing to try to get their hands on free cash, which of course can and will be used to fund other criminal activities.”

What’s Hot on Infosecurity Magazine?