New ‘Ripper’ Malware Pegged for Thai ATM Heists

FireEye believes it has found the malware used in a sophisticated campaign to steal 12 million baht (£265,400) from ATMs in Thailand.

The so-called ‘Ripper’ malware targets three major global ATM manufacturers – a first, according to the US security firm.

It’s unusual in that it interacts with the targeted machine via a specially crafted bank card featuring an EMV chip which acts as an authentication method.

Ripper was also uploaded to Virus Total in Thailand – the country where the heists took place – and contained a PE compile timestamp of 10 July 2016. This coincides with the start of the robberies, FireEye malware researcher Daniel Regalado explained in a blog post.

It’s also been reported that the malware used in the robberies was able to disconnect the ATM from its network in order to prevent it from communicating with the bank – which is precisely how Ripper operates.

Once it has accessed the system, the malware allows its authors to enter instructions via the ATM pinpad, and features an ‘sdelete’ secure deletion tool to remove forensic evidence following the raid.

Ripper will also ensure a limit of 40 notes are dispensed – the maximum allowed by ATM vendors.

“In addition to requiring technical sophistication, attacks such as that affecting the ATMs in Thailand require coordination of both the virtual and the physical,” concluded Regalado. “This speaks to the formidable nature of the thieves.”

Local police believe at least six eastern Europeans made the illegal withdrawals from 21 machines in six provinces of the country between 9 July and 8 August.

The NCR-built ATMs targeted were in Phuket, Surat Thani, Chumphon, Prachuap Khiri Khan, Phetchaburi and Bangkok, according to the Bangkok Post.

In Surat Thani, the thieves apparently managed to steal 2.6m baht (£57528) from four machines.

Police are said to be focusing their search on CCTV cameras in areas where rental cars are popular.

Kevin Bocek, vice president of Security Strategy & Threat Intelligence at Venafi, argued that the rise in malware targeting POS and ATMs is “part of the natural criminal cycle.”

“POS and ATM devices were the original Internet of Things (IoT). Understanding how these attacks are playing out indicates how hackers will target high value IOT, including those that process transactions and other activities of value,” he added.

“Retailers are now understanding that every piece of code that runs on a POS must be digitally signed to establish if it is trusted or not. Banks need to understand the same for ATMs.”

What’s Hot on Infosecurity Magazine?