In Europe a new strain of malware, called EU ATM Malwarewhich targets ATMs with a claimed effectiveness of 99%.
Olga Osipova, Senior Application Security Specialist at Kasperskyanalyzed the highlights of this attack:
- The malware is highly effective on numerous ATMs from major manufacturers.
- The ability to withdraw up to $30,000 from a single ATM makes EU ATM Malware particularly attractive to cybercriminals.
- Different payment methods for the malware (subscription, demo version) indicate that developers are organized and well-prepared, potentially increasing its spread. Having multiple modes of operation allows malware to adapt to specific attack targets and conditions.
Attacks on ATMs are very widespread and profitable, since they allow you to obtain cash in real time. Ads often appear on the dark web for malware or specific devices designed to withdraw money from various ATMs. These announcements often precede waves of attacks on banks in different countries. Over the years, the most popular software for getting money from ATMs have been Tyupkin, Cutlet Maker, Skimer and many others. In 2015-2016, for example, the Black Box model became very popular.
Regarding the current announcement of EU ATM Malware, considering its supposed cross-platform functionality, it can be assumed that it is based on XFS, a standard that provides a common API for managing the various internal modules of the ATM, regardless of the manufacturer .
Over the years we have analyzed the security of ATMs and developed a series of tools to verify the possibility of withdrawing cash. The first of them was developed more than 10 years ago, when most ATMs ran on Windows XP. This tool, with minor changes, still works on the latest versions of the operating system, regardless of the platform (NCR, Diebold, GRG, Hyosung, etc.). By taking advantage of the features of the XFS standard, it is possible to demonstrate the vulnerabilities and flaws in ATMs that lead to their emptying. In fact, cash dispensing can be completely automated until all the money has been withdrawn, with the exception of the physical action of removing the bundle of banknotes from the ATM.
The seller claims 99% effectiveness on European ATMs and up to 60% on those in other countries, indirectly suggesting that the malware was developed specifically for European devices.
This does not mean that ATMs outside Europe are safe. It is important to remember that in addition to software methods of unauthorized cash disbursement, there are also hardware methods. Unfortunately, in every security analysis conducted by Kaspersky, even in 2024, at least one attack method is detected for every ATM that allows full cash withdrawal.
Adequate attention to the security of financial devices, regular penetration testing and ATM security assessments, together with timely implementation of remediation measures when vulnerabilities are found, help reduce the risk of ATM attacks and minimize financial losses and reputational. Monitoring “clandestine” activities that target a bank or company can be achieved through cyber intelligence services.
