ATM Malware: Understanding the Threat

Amit Malik Co-Founder @ Cysinfo (https://cysinfo.com)

Researcher @ Netskope Linkedin: https://in.linkedin.com/in/doublezer0

DisclaimerThe Content, Demonstration, Source Code and Programs presented here is “AS IS” without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the author’s only and nothing to do with the company or the organisation in which the author is currently working.

However in no circumstances neither the speaker nor Cysinfo is responsible for any damage or loss caused due to use or misuse of the information presented here.

News..

Agenda• Introduction

• XFS subsystem/middleware architecture

• XFS Internals

• ATM Malware evolution

• Case Study

RIPPER ATM Malware

Introduction• ATM (Automated Teller Machine)

• As per ATM Industry Association (ATMIA) there are around 3 Million ATMs installed worldwide.

• Majority of the ATMs use windows operating system.

• WOSA/XFS or CEN XFS is the software standard used by ATM platforms for ATM device interactions.

• XFS subsystem basically provides the common API to access and manipulate the ATM devices from different vendors.

• Leading ATM vendors:

• NCR

• Diebold

• Wincor

ATM Diagram

*Picture: https://upload.wikimedia.org/wikipedia/commons/9/99/Atm_blockdiagram.png

XFS (eXtensions for Financial Services) Architecture

*pic: CEN/XFS Specifications

XFS APIs• Application uses XFS APIs to communicate with

service providers.

• APIs can be called synchronously or asynchronously.

• XSF manager translates the APIs to SPIs

• APIs starts with WFS*

• Example: WFSOpen, WFSExecute, WFSGetInfo etc.

Configuration Information• XFS manager uses configuration information to route APIs to

SPIs.

• Configuration information is stored in windows registry hives.

• PC dependent information is stored under

• HKEY_LOCAL_MACHINE\SOFTWARE\XFS

• User dependent information is stored under:

• HKEY_USERS\.Default\XFS

• .Default or user id.

Config. Info. cont..• PC dependant information.

• XFS_Manager: trace file, share file information etc.

• Service_Provider: XFS compliant service provider - dll name, version, vendor name

• Physical_service: physical attachments configuration by the solution providers.

*pic:CEN/XFS Specifications

Config. Info. cont..• Example (service providers):

[HKEY_LOCAL_MACHINE\SOFTWARE\XFS\SERVICE_PROVIDERS\PIN]

"dllname"="PIN.DLL"

"vendor_name"="XFS Solutions Provider"

"version"="1.0.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\XFS\SERVICE_PROVIDERS\IDC]

"dllname"="IDC.DLL"

"vendor_name"="XFS Solutions Provider"

"version"="1.0.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\XFS\SERVICE_PROVIDERS\CDM]

"dllname"="CDM.DLL"

"vendor_name"="XFS Solutions Provoder"

"version"="1.0.0"

Config. Info. cont..• User dependent configs

• Logical services can provide one or more physical services, for example cash dispenser and coin dispenser can be the part of one logical service.

• logical services: service class, service provider (service provider key name in service providers)

*pic: CEN/XFS specifications

Config. Info. cont..• Example (logical services)

[HKEY_USERS\.Default\XFS\LOGICAL_SERVICES\CashDispenser]

"class"="CDM"

“provider"="CDM"

[HKEY_USERS\.Default\XFS\LOGICAL_SERVICES\Pinpad]

"class"="PIN"

“provider"="PIN"

[HKEY_USERS\.Default\XFS\LOGICAL_SERVICES\Magstripe]

"class"="IDC"

"provider"="IDC"

Important XFS APIs• WFSStartUp - Initiate a connection between an application and the XFS

Manager

• WFSOpen - Open a session between an application and a service provider

• WFSRegister - Enable monitoring of a class of events by an application

• WFSExecute - Send service-specific commands to a service provider

• WFSGetInfo - Retrieve service-specific information from a service provider

• Pretty much all of the APIs can be called Asynchronously except few (eg: WFSStartUp etc.)

• Async - WFSAsyncExecute, WFSAsyncOpen, WFSAsyncRegister etc.

• Application must perform WFSOpen for each logical service.

ATM Malware Evolution

20072013

20142015

2016

Skimer Padpin, Neopocket

Ploutus Sucful, GreenDispenser

Ripper, Alice

Case Study• RIPPER ATM Malware

• Linked with Bt12 million hack

• Targets Major ATM manufactures (NCR, Diebold, Wincor)

• Reads both magnetic stripe and EMV chip data.

• Cash dispenser functionalities

• Lets jump on to the malware code analysis!

Code…

Code (path)

Code..

Code..

References• CEN/XFS:https://www.cen.eu/work/areas/ICT/

eBusiness/Pages/CWA16374.aspx

• https://www.fireeye.com/blog/threat-research/2016/08/ripper_atm_malwarea.html

• http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-ripper-atm-malware/