All About HackingBlackhat Hacking ToolsFree CoursesHacking

Hacking ATMs: The New Wave of Malware 2023

In this article we will learn about Hacking ATMs.

Introduction about Hacking ATMs:

In recent weeks, security experts from Kaspersky Lab have noticed several attacks on automated teller machines (ATMs) that were infected with malware called Tyupkin. Tyupkin is one of the most popular malware used by criminals to compromise ATMs and force these machines to release cash on demand. Experts from Kaspersky Lab collected evidence that Tyupkin infected at least 50 ATMs, mainly in Eastern Europe.

Tyupkin is just one of the various types of malware used in the cybercriminal ecosystem to hack ATMs. In May 2013, security experts spotted another ATM Trojan called Padpin; meanwhile, in October 2013, malware researchers isolated samples of another malware called Ploutus, which was distributed to compromise bank machines and steal cash from them.

In this post, we will try to analyze each of the above mentioned ATM malware and suggest countermeasures to defend the machines.

ATM hacking

Cybercriminals are adopting even more creative and sophisticated tactics to collect users’ personal information. Banking is one of the industries most targeted by cybercriminals. Very interesting are the techniques used by criminals to steal money using malicious code or to capture users’ PINs directly from ATMs.

“It just blows your mind how sophisticated these people are in coming up with these things,” says Bryan Sartin, director of Verizon Communications’ data breach investigation team.

US intelligence estimated annual losses from ATM skimming in 2008 at more than $1 billion. In the past, cybercriminals used fake number pads and skimmers to steal debit card PINs, a risky practice due to the need to deploy a sniffer device and then come back to remove it while avoiding tracking.

For this reason, cybercriminals have developed their attack scheme to steal users’ PINs directly from ATMs and remote locations such as gas stations. Hackers use the banks’ wireless Internet connections used by financial institutions to monitor ATM cash flow and update software.

“Regulators at the Federal Financial Institutions Examination Council warned in April that ATMs of small and medium-sized banks are a preferred target for criminals who hack bank websites to increase ATM withdrawal limits and then clean out people’s accounts,” Bloomberg Businessweek reports.

Criminals are able to capture the PIN remotely, according to the Verizon report. Another common tactic is to get work for tech support companies that give them access to ATMs, then install malicious code that can steal and transmit PIN data back to the attackers via an email address or phone line.

Remote hacking of web-connected ATMs is a serious problem that occurs very often. In March, the FBI identified 17 people involved in a card scam that stretched from Bulgaria to Chicago.

The technology used in these attack schemes is available in the cybercrime ecosystem. Criminals could easily obtain memory chips and transmitters that make it possible to assemble PIN-hacking devices thin and light enough to be easily hidden inside ATMs installed by banks.

In December 2013, security experts noted a wave of attacks against ATMs. The criminals cut a piece of the machine’s chassis to reveal a USB port and plug in USB drives carrying their malicious code.

A detailed description of the technique was presented by two German researchers at the last Chaos Computing Congress in Hamburg, Germany. The technique was used against ATMs of an unnamed European bank ATM.

The two researchers who presented the attack asked not to be identified. This event dates back to July 2013 when a number of ATMs were attacked despite taking the necessary and normal defense measures. Attackers were able to steal the highest denomination notes to minimize the duration of the theft and the window of detection.

The results of the investigation revealed that cyber thieves were destroying ATMs to infect them with USB sticks. After breaching the ATM, they patched up the holes and hid all evidence of the attack. They targeted the device several times this way.

According to investigators, the criminals have “deep knowledge of the targeted ATMs”. The malware itself appeared to be very complex and designed for a specific target.

Forensic analysis of the infected machines revealed that creating the malicious code would require a huge team of skilled developers. Experts believe that it is not a prototype. Malware design requires significant economic effort over a long period of time, and the source appears to be sophisticated and perfectly written. The researchers also found that the software is the result of many improvements.

“They must have had a deep knowledge of ATMs… Most likely they should have actually tested one. Either they stole one and reverse-engineered the money client, or most likely they had someone on the inside,” revealed one of the researchers.

Once it infects a computer, the malware launches with a 12-digit passcode written by cybercriminals, and the software launches a special interface. Malware instances were found on four targeted computers. The malware was able to display the amount of money available in each banknote denomination and presented a series of bid items to release them.

Investigators made an interesting discovery: the thieves, guided by mutual distrust, implemented a mechanism to access the money, which requires the introduction of a double code, one for each component of the gang.

“However, it appears that the masterminds of the crimes were concerned that some of their gang might take a ride and go solo.” To counter this risk, the software required the thief to enter a second code in response to the numbers displayed on the ATM’s screen before he could release the money,” the BBC post said.

The two-factor authentication process means that a thief could only get the passcode by calling another gang member and telling them the displayed numbers. In the event of a malfunction, the ATMs would return to normal after three minutes.

The malware is also capable of capturing information such as customer PINs or account details, although its primary function is to get cash instantly.

Just for fun, the name of the key file was called hack.bat. A German researcher noted that similar attacks could soon be seen elsewhere:

“I’m not sure if this is the final attack or the end of the game… We’ll probably see this kind of malware in another bank, in another city, on another continent.”

Tyupkin malware used to force an ATM to dispense cash

In most cases, criminals have compromised ATMs by tampering with card skimmers, which are used to steal card data, but in recent months, criminal organizations in Eastern Europe have also shown great interest in other hacking-based techniques. ATM with malware.

The malicious code allows cybercriminals to compromise an ATM without using cloned credit cards and force it to release cash on demand. Interpol conducted a joint investigation with researchers from Kaspersky Lab, which allowed them to determine that the Tyupkin malware, which infected nearly 50 machines in banking institutions, was from a specific manufacturer with a 32-bit version of Windows.

Investigators found that the Tyupkin malware, which primarily affected banking institutions in Eastern Europe, may have spread to several other countries, including the US, India and China.

Figure 1 – Tyupkin infection worldwide (Kaspersky)

The researchers had the opportunity to evaluate several variants of the Tyupkin malware, so they were able to analyze the improvement of the malicious code over time. Coded as .d, the latest variant includes anti-debugging and emulation features, and the new variant is capable of neutralizing vendor-specific application security software.

Cybercriminals target ATMs that lack or have limited physical security measures and run outdated or out-of-date operating systems that could easily be compromised by malware.

Attackers need to physically gain access to the target ATMs and install the malware by loading it from a bootable CD and copying several files to the computer. One of the files is an executable and debug file that is removed after the registry key is created to ensure continued durability. The second, once it infects the ATM, allows the malware to wait for user input. To complicate the investigators’ analysis, the malware remains inactive during the week, except on Sunday and Monday nights, when it accepts requests from criminals who have physical access to the ATM.

The ability to configure the malicious code to run only at certain times, along with the implementation of a challenge-response authentication mechanism, allows hackers to secure access to an infected ATM.

“When the key is entered correctly, the malware displays information about how much money is available in each cartridge and allows an attacker with physical access to the ATM to withdraw 40 notes from the selected cartridge,” the researchers wrote.

ATM malware is designed to avoid detection and ensure that only a single attacker is present in the banking system. Another measure implemented by the Tyupkin developers is to disable the local network, a measure necessary to prevent any remote diagnostics that could detect the malware and trigger countermeasures to neutralize it.

The basic commands accepted by the malware via PIN PAD to the ATM are:

  • XXXXXX – Displays the main window.
  • XXXXXX – Custom deletion using a batch file.
  • XXXXXX – Increases the duration of malware activity.
  • XXXXXX – Hides the main window.
  • As expected, Tyupkin asks for a session key at this point to prevent interaction with random users. If the user provides the above key, it is possible to communicate with the ATM. Once the malware has received the correct key, it displays the following message:


At this point, the criminal just needs to select the number of the cassette and the ATM will issue 40 banknotes from it. Be careful because if the attacker does not provide the correct key, the malware will disable the local network and display the message:


Another interesting element to consider is that the malware interacts with the ATM through the MSXFS.dll – Extension for Financial Services (XFS) standard library. This library is a standard Microsoft library for which there is no public documentation, but it is still exploited by Tyupkin and other malicious code.

Figure 2 – Proof of Concept Image of the attack on the ATM

“The Tyupkin malware is an example of how attackers exploit weaknesses in ATM infrastructure,” said Vicente Diaz, senior security researcher in Kaspersky Lab’s global research and analytics team. “We strongly recommend that banks review the physical security of their ATMs and network infrastructure and consider investing in quality security solutions… The fact that many ATMs run on operating systems with known security vulnerabilities and the absence of security solutions is another issue that needs to be addressed. to be addressed urgently,” added Diaz.

Figure 3 – Tyupkin attack (Kaspersky Lab)

Ploutus malware – How to rob ATMs using SMS messages

The Tyupkin malware is just the latest malicious code that investigators have discovered. In March, Symantec experts discovered a series of attacks on ATMs based on Windows XP.

In March 2014, a team of Symantec researchers detected a malware strain called Ploutus capable of exploiting a vulnerability in Windows XP-based ATMs. The malware infected several machines in Mexico, and according to experts, the threat actors were able to steal cash just by sending text messages to an ATM.

“The new variant has been identified as Backdoor.Ploutus.B (referred to as Ploutus in this blog). What was interesting about this variant of Ploutus was that it allowed cybercriminals to simply send an SMS to a compromised ATM, then walk up and collect the cash that was dispensed. It may seem unbelievable, but this technique is currently being used in many places around the world.”

Symantec experts published an interesting analysis of the Ploutus malware, which highlighted the level of sophistication of the attacks. As the researchers explained, attackers need to have physical access to the ATM in order to connect the mobile phone via USB tethering, which allows them to share the network connection between the phone and the ATM.

Once the connection is established, the attacker starts sending specific SMS commands to the phone connected or hardwired in the ATM.

“Since the phone is connected to the ATM through a USB port, the phone also draws power from the connection, which recharges the phone’s battery. As a result, the phone will stay powered indefinitely.”

Experts have discovered several versions of the PLOUTOS malware. Most advanced instances are capable of stealing customer card data including PINs, and experts have revealed the existence of a version that is also capable of launching a man-in-the-middle attack.

The attack scenario described by Symantec experts consists of the following steps:

  • An attacker physically approaches an ATM and connects a mobile phone using a USB cable, then injects the Ploutus malware.
  • The attacker sends several SMS messages with specific content to the mobile phone inside the ATM.
  • The first SMS contains a valid activation ID, which the attacker uses to activate the malicious code.
  • The second SMS contains a valid withdrawal order that will instruct the ATM to withdraw money.
  • The mobile phone in the ATM receives valid SMS messages and converts them into network packets that are transmitted to the ATM via a USB cable.
  • The malware features a Network Packet Monitor (NPM) component that scans all incoming traffic waiting for specific sequences representing the attacker’s commands. When NPM receives a valid TCP or UDP packet from a mobile phone, it parses the packet and looks for the number “5449610000583686” with a specific offset in the packet. This way, the module is able to parse the entire data packet, and once it finds a specific number, NPM reads the next 16 digits and uses them to create a command line to run Ploutus. An example of such a command is shown below:
  • cmd.exe /c PLOUTOS.EXE 5449610000583686=2836957412536985

“In this version of Ploutus, the mule never sees the 16 digits, giving the master criminal greater security and the ability to centrally manage cash withdrawals. The code is active for 24 hours,” according to Symantec.

  • The cash withdrawal amount is preset in the malware code.
  • An attacker just needs to withdraw cash from a hacked ATM.

Ploutus has been detected by security experts in various countries around the world. Symantec explained that this type of attack could benefit from the lack of security updates released for operating systems that are no longer supported by vendors, such as Windows XP.

The lack of appropriate defenses, such as hard drive encryption, is another element of concern, but the primary cause of this type of attack is the lack of physical security of the computer inside the ATM. ATMs located in remote and isolated locations are usually more exposed to crime.

Also Read Hacking ATMs:Ethical Hacking Interview Questions 2023

We’ve analyzed a few of the most popular malware used to compromise ATMs, Tyupkin and Ploutus, but other malicious code has also hit banking systems in the past. In May 2013, researchers discovered another ATM Trojan, called Padpin, which has something to do with the recently discovered malware.

Developing malware capable of compromising an ATM requires a good understanding of the architecture of these machines and the devices they use. Security experts say that the malware authors of the malicious code they recently spotted had access to this kind of information[Hacking ATMs].

A recently published report has raised concerns among malware researchers. The author of the malicious code used in the recent attacks obtained information about the ATM’s architecture from a leaked programming manual for interacting with the machines’ physical components.

The manual may have helped malware authors design a malicious application that was used to steal cash from ATMs.

F-Secure malware researchers analyzed several samples of the Padpin malware and found that its code is written to allow interaction with ATM components via the Extension for Financial Services DLL (MSXFS.dll), which is specifically used by Automated Teller Machines. . The library provides a special API for communicating with the ATM’s PIN block.

“While analyzing the code, we began to wonder how the malware author knows which pin pad service name to provide to the API so that the program is able to interact with the pin pad device,” F-Secure researchers said in a blog post.

F-Secure researchers confirmed the fact that the DLL used by the malware authors is not officially documented by Microsoft, speculating that bad actors gain access to the information in another way.

“It’s a valid question because the pin pad service name used in the code is completely unique, and it’s very unlikely to figure out the service name without documentation,” the expert added.

Dll information is available in the programmer’s reference manual from NCR, a popular manufacturer of ATMs and point of sale devices. The document was published on an e-book site owned by Chinese online search company Baidu.

According to experts, it is not only malware programmers with experience writing ATM applications who could have gained valuable information by reading the leaked manual, but also other coders.

“The documentation is useful enough to provide programmers with sample code as well,” the researchers said.

While we’re debating… 18 ATMs hacked in Malaysia

Using malware to compromise ATMs is becoming a common cybercrime practice. Latin American criminal gangs recently hacked eighteen ATMs in Malaysia. Criminals stole almost 3 million Malaysian ringgit, or over US$900,000, from bank machines, according to major media agencies.

The media highlighted the fact that a RM100 chip, specific technical knowledge and free malware obtained over the internet are all that are required to hack ATMs.

The revelation was made by a cybercrime expert who gave an exclusive interview to FMT ( According to the expert, criminal gangs stole more than $1.2 million from the ATMs of at least 17 bank branches belonging to United Overseas Bank, Affin Bank, Al Rajhi Bank and Bank of Islam. Closed-circuit television (CCTV) footage from the banks showed that 2-3 Latin American men entered and withdrew money from these targeted ATMs.

“What you need is a mastermind, a RM100 computer chip and maybe a bank ‘insider’ to carry out the attacks,” he said.

The theft represents an element of concern for the banking sector, which an expert says is losing ground in the fight against cybercrime.

“Banks should be serious about their security, and not just for compliance… This mentality needs to change to build security into the bank’s DNA.”

The investigator explained to the journalist that similar attacks can be organized only based on the knowledge of the architecture of the targeted ATM and do not require specific knowledge.

“A hacker will know where the locks and connections are, the model of the machine, the level of security and the version of the operating system,” the expert explained.

The expert also pointed out the roles of the guys caught on security cameras in the bank

“The guys caught on CCTV are not real criminals… It’s like a ‘monkey see, monkey do’ situation. They can be shown what to do without any technical knowledge. They probably don’t even know what they’re doing.”

It could be very easy to compromise an ATM with malware, and the malicious code could easily be obtained on the underground market for a few thousand dollars. A security expert has no problem wreaking havoc on a real banking system.

“It’s a simple attack because there is a lot of free malware available on the Internet. And it’s definitely something the bank needs to think about seriously.”

The expert drew attention to the incorrect approach of the banking sector in protecting ATMs. In many cases, ATMs have an outdated operating system, lack patch management, or are misconfigured. According to an expert who has conducted several penetration tests and vulnerability assessments, banking systems are vulnerable to external attack in many cases, and the attacks have allowed investigators to breach banking systems.

“The bank I worked for was not happy that we disrupted the system after the hack,” he said. “Either they wanted to make sure we didn’t find anything, or they were going to hire incompetent people who wouldn’t find anything.”

“Banks take things for granted because nothing like this has ever happened before,” the expert added. “They depended a lot on CCTV and in some places they don’t even have security.”

Experts also claimed that the insufficient use of encryption technology was discovered during the tests. Attacks could expose sensitive data to tampering and facilitate the hacking of these machines by a malware-based attack.

“It is also due to the lack of encryption technology such as Public Key Infrastructure (PKI)… If PKI was implemented, this would not have happened,” he added.

Conclusion – How to protect ATMs

The banking sector is working to improve the security of modern ATMs to respond to the numerous cyber attacks that experts are observing. New ATMs come with enhanced security features by default, such as hard drive encryption, which can prevent malware from being installed.

However, older ATMs still deployed around the world run Windows XP and in many cases are vulnerable to external cyber attacks, and the problem is particularly severe for machines deployed in a variety of remote locations. Another issue that needs to be addressed is the physical security of the computer inside the ATMs. While an ATM’s money is locked in a safe, a computer generally isn’t. Without adequate physical security for these older ATMs, the attacker has the upper hand.

Below is a list of mitigation measures that could be taken to improve ATM security:

  • Upgrade ATMs to a supported operating system (eg Windows 7 or later).
  • Use full disk encryption to prevent disk tampering.
  • Provide adequate physical protection.
  • Install an effective CCTV monitoring system to protect ATMs and make sure security alarms are working. Make sure the cameras are visible, this can act as a deterrent.
  • Regularly check the state of physical and logical security of installed ATMs. Experts from Kaspersky Lab revealed that the cybercriminals behind Tyupkin infected only those ATMs that did not have any security alarm installed.
  • Regularly check the ATM for signs of manumissions (e.g. deployment of skimmers).
  • Change the default upper pool lock and keys on all ATMs. Do not use the default master keys provided by the manufacturer.
  • Lock the BIOS to prevent booting from unauthorized removable media (eg CD ROM or USB sticks).
  • Install a system lock solution.
  • The ATM should be securely fastened to the floor with an anti-lasso device.
  • Be aware of possible social engineering attacks by criminals who try to collect information about installed ATMs by impersonating inspectors.

We close the post with a famous insight from Sanjay Virmani, Director of INTERPOL’s Digital Crime Center, who is sure that criminals will explore new technologies to steal money from banking systems.

“Offenders are constantly identifying new ways to evolve their methodologies to commit crimes and it is essential that we keep law enforcement in our member countries engaged and informed of current trends and modus operandi,” said Sanjay Virmani, Director of INTERPOL’s Digital Crime Centre. .

References[Hacking ATMs]

Two 14-year-old students hacked an ATM with impressive simplicity

Leave a Reply

Your email address will not be published. Required fields are marked *