Ebryx forensic analysts identified an organized criminal group in the South-Asian region. The group utilized an ATM malware to dispense cash directly from the ATM tray. In almost all the attacks, the criminals specifically chose NCR ATMs. The malware exploits a fundamental flaw in the ATM application communication with the ATM cash dispenser. The attack methodology did not require communication with the ATM switch (no activity over the ATM network) and that allowed the attackers to dispense cash amounts of their choice. This constitutes a critical attack for financial institutions.
Most of the ATMs around the world use CEN/XFS (eXtensions for Financial Services) as standard architecture for client-server financial applications for Microsoft Windows. XFS provides the API to interact with the ATM hardware. Therefore, it can also be used to interact with the ATM’s cash dispenser. Moreover, several XFS exploration tools, like XFSC, are available to the public. This allows anybody with command execution on an ATM to dispense cash.
To conduct a successful attack, the attacker must gain physical access to the ATM’s hardware and insert a USB device containing the malware. As ATMs usually run in lockdown mode, the execution of any application directly would be nearly impossible. However, the attackers utilized a Hiren’s Bootable USB to reboot the ATM with a customized OS and then executed their malware. This, in essence, bypasses all OS-specific security controls on the ATM.
The criminals used two separate pieces of malware alternatively. The first one (NCRApp.exe) requires the attacker to execute it manually. However, the other one (hello.exe) is automated and only dispenses cash from the first cassette (usually contains the highest value bills). Both pieces of malware, in fact, are XFS managers that, upon execution, load the XFS DLL provided by NCR (along with the legitimate application) to connect to the Cash Dispenser module.
The execution flow of NCRApp.exe can be seen below:
The other malware, hello.exe, has a different flow. Although it uses the same XFS DLL provided by NCR, it checks whether it is running on an NCR ATM or on any other, before performing the cash dispensing operation.
NC.exeMD5 0FE9CB3C5543066446BF35256BE6D075SHA1 8A757300390B89DF6F0F57F69D5B90B064DD454
4SHA25663EC784F9F661C40055543C80BCC1A8A2
96C071BA6126CCDDAAAC882D4EEC594
hello.exeMD5 B2AD4409323147B63E370745E5209996
SHA1 15E8FAC9C9D5E541940A3C2782DF6196EC1E9326S
HA256867991ADE335186BAA19A227E3A044C8321A
6CEF96C23C98EEF21FE6B87EDF6ANCRApp.exe
MD5 F1478AA747A976FB2AD526FA71ECA853SHA1 4292DF415C11F4155E8910EBCDE8BD2DA24E4426
SHA256 04F25013EB088D5E8A6E55BDB005C464123E6605
897BD80AC245CE7CA12A7A70
PDB PathC:\_bkittest\dispenser\Release_noToken\dispe
nserXFS.pdbRegistry KeysHKLM\Software\Microsoft\Windows\CurrentV
ersion\RunAmigo%SYSTEMDRIVE%\NCR32\NCRA
pp.exeYARA RulesYara rules to detect the ATM Jackpotting malware can be found at our GitHub repository.
While analyzing the malware, it was observed that the capabilities and characteristics, especially thePDBPath“C:\_bkittest\dispenser\Release_noTok
en\dispenserXFS.pdb” and the compile timestamp “Sun Feb 10 18:13:13 2019 | UTC” of hello.exe overlapped with the findings published by Group-IB against Silence Group back in 2019. “NCRApp.exe” is the ATM Jackpotting malware known as “ALICE” or “Project ALICE”.
Instead of getting a response in the generated TIFF file, we decided to exfiltrate the response. The solution seems very simple. At this stage, we knew that we can execute JS code at the server-side, so we can make XHR requests to get the AWS credentials, and send them to our server. We sent another fax with an attachedHTML file containing the following code:
This could potentially be an indicator of one of two possibilities with huge impact; either the Silence Group had hired money mules in the South-Asian region to expand its operations or a totally distinct group in the same region had got a hold of the malware and was on the rise.