Malware samples these days often pack a bewildering array of functions and have an almost Swiss army knife-like quality about them. One exception is Alice, a new ATM malware family that security vendor Trend Micro discovered recently.
The malware, according to Trend Micro, is about as bare-bones as it gets and appears designed for the sole purpose of emptying an ATM of its cash. Based on when its executable was compiled, Alice appears to have been in the wild since at least October 2014.
Unlike other ATM malware samples that Trend Micro has analyzed, the only function that Alice has is one that it uses to connect to the currency dispenser peripheral in the ATM. Alice makes no attempt to connect to other ATM hardware such as the machine’s PIN pad, so it's not controlled by commands issued via the PIN pad. It also has no elaborate install or uninstall process, and works simply by running the executable in the target environment.
Alice's design suggests that in order to use it, a criminal would need to physically open up an ATM and infect the system using a CD-ROM or an USB. They would then need to connect a keyboard to the machine’s motherboard to operate the malware, the researchers said.
Alice works with ATMs from different manufacturers such as NCR, Wincor-Nixdorf, and others, says Trend Micro senior threat researcher Numaan Huq.
"The malware, based on the PE header timestamp, has been around since late-2014, but wasn’t detected by AV vendors," Huq says. "Even when we were investigating it in November 2016, there were no detections for the files in Virus Total. So the premise is Alice has been around 'in-the-wild' for quite some time, but unfortunately we don’t know how extensive the victim list is."
To get an infected machine to dispense cash, the attacker needs to enter a specific four digit PIN using the keyboard connected to the motherboard. If the correct PIN is entered, the malware pops up a sort of operator panel on the ATM display listing all the cassettes containing money in the machine.
By entering each cassette number in the operator panel, the attacker can get an ATM to dispense all of its cash. Most ATMs have a 40-currency note limit when dispensing cash. To address this, Alice dynamically keeps updating the stored cash levels in each cassette and displays it in the operator panel so the attacker knows when they are closing to emptying the cassette, the Trend Micro alert said.
Ordinarily, the only way to access the cash stored in an ATM’s cassette in an unauthorized fashion would be to blow them up, Hassan says. "The money is stored in a secure safe place that can only be opened by the bank of an armored transport company," he says. "You’d have to blow up the safe with explosives to access the cash cartridges inside and steal the money."
A tool like Alice offers a way around the need for such drastic measures: all an attacker needs is access to an ATM's internals. And that can be accomplished easily by purchasing a key to the ATM’s housing from publicly available sources, Huq says. "That allows you to access the ATM’s internals, infect the ATM with malware, and get it to dispense all the stored cash,” he said. “[It] saves blowing up the poor ATM."
It's possible that Alice can also be operated remotely over RDP without having to open up each machine, Huq says. But because Trend Micro hasn’t been able to corroborate that capability it remains just a theory for the moment, he says.