Automated Teller Machine(ATM) Malware hits Nepal Cyber Space

Every day, the financial institution has been hit by the cyber attack and most of the attack is performed by malware. In growth with cyber crimes, new breed of malware has been developed such as mobile malware, bootkit malware, firmware malware and now ATM malware


Malware is short for “malicious software” which refers to any computer program that is designed to damage or do  unwanted action on a computer system.  Malware has now become more sophisticated and cybercriminals are targeting new machine using the malware. One of the examples of sophisticated attack is on ATM machine.

The first ATM malware surfaced in 2007 when a Trojan virus was utilized to attack ATMs in the Ukraine and Russia. Since then, ATM malware has increased and spread across the globe.

ATM malware has been used to attack the bank directly to

  • Capture Debit Card  information
  • Steal Cash from ATM Machine

Normally malware installed on the ATM steals a copy of the customer’s PIN and card information but to steal cash from ATM  malware requires the hacker to rewrite portions of the ATM software and install it on the host. Then a criminal or host goes to the ATM with a trigger card that sends altered code instructions to pass large amounts of currency to the criminal.

Let us make a list of malware that has been spread globally.

Ploutus is a Trojan horse that opens a back door on a compromised Automated Teller Machine (ATM). It was discovered by Symentact Team on September 4, 2013. This Trojan has the capability to create a back door on the compromised ATM, allowing an attacker to perform the following actions:

         #Dispense all money in the ATM

         #Activate the Trojan on demand

          #Read all cardholder information entered through the keypad

Padpin is a Trojan horse that targets automated teller machines (ATM) running on Windows 7 and Windows XP. The Trojan enables an attacker to use the ATM PIN pad to submit commands to the Trojan. It was discovered on May 9, 2014

This ATM Malware was Discovered by FireEye in August 2015. It basically targets cardholders and is able to retain debit cards on infected ATMs, disable alarms, or read the debit card tracks. SUCEFUL is the first multi-vendor ATM Malware targeting cardholders, created to steal the tracks of the debit cards but also to steal the actual physical cards, which is definitely raising the bar of sophistication of this type of threats.

GreenDispenser ATM malware can be installed if an attacker has physical access. This malware provides an attacker the ability to walk up to an infected ATM and drain its cash vault. When installed, GreenDispenser may display an ‘out of service’ message on the ATM but attackers who enter the correct pin codes can then drain the ATM’s cash vault and erase GreenDispenser using a deep delete process, leaving little if any trace of how the ATM was robbed.

Tyupkin is a piece of malware that allows cybercriminals to empty cash machines via direct manipulation. This malware, detected by Kaspersky Lab as Backdoor.MSIL. Tyupkin affects ATMs from a major ATM manufacturer running Microsoft Windows 32-bit.

Recently, we received a malware sample from one of our customers. We did the malware analysis part and found that it was Tyupkin ATM malware.

According to Kaspersky Lab, this malware conducts the attack in two stage.

Stage 1 –Access and Infection

First, they gain physical access to an ATM and insert a bootable CD to install the malware – code named Tyupkin (Backdoor.MSIL.Tyupkin). Once the ATM system has been rebooted, the infected ATM is under their control.

Stage 2 – Control and Theft

The infected ATM then runs in an infinite loop waiting for a command. In order to make the scam harder to identify, Tyupkin malware only accepts commands at specific times on Sunday and Monday nights. It is during those times that the cyber criminals are able to steal money from the infected machine.


Last year on November 2015, a Bulgarian hacker Vecilin Georgelare was arrested in an attempt to steal from ATM  here in Nepal. He was caught while connecting his laptops to the ATM. After analyzing this incident, we can guess that he may able to infect malware on other Banks Automated Teller Machine.

Mitigation Recommendations

Rigo recommends the following remediation guidance for the Financial Institution that operates ATMs.

  • Upgrade ATMs to a supported operating system (e.g. Windows 7 or newer versions).
  • Use full disk encryption to help prevent disk tampering.
  • Provide adequate physical protection.
  • Install an efficient CCTV monitoring system to protect the ATMs and be sure that security alarms work. Be sure that the cameras are visible, which could work as a deterrent.
  • Periodically review the state of physical and logical security status of the installed ATMs. Experts at Kaspersky Lab revealed that cyber criminals behind Tyupkin infected only those ATMs that had no security alarm installed.
  • Regularly check the ATM for signs of manumissions (e.g. Deployment of skimmers).
  • Change default upper pool lock and keys in all ATMs. Avoid using default master keys provided by the manufacturer.
  • Lock down the BIOS to prevent booting from unauthorized mobile media (e.g. CD-ROMs or USB sticks).
  • Install a system lockdown solution.
  • The ATM should be securely fixed to the floor with an anti-lasso device.
  • Be aware of possible social engineering attacks by criminals who try to collect information on the installed ATMs by pretending to be inspectors.

If you need any Information Security consultancy, please contact us.


Leave a Reply

Your email address will not be published. Required fields are marked *