Organized ATM Jackpotting

Ebryx forensic analysts identified an organized criminal group in the South-Asian region. The group utilized an ATM malware to dispense cash directly from the ATM tray. In almost all the attacks, the criminals specifically chose NCR ATMs.

team
Marketing Team
  • May 22, 2025

Ebryx forensic analysts identified an organized criminal group in the South-Asian region. The group utilized an ATM malware to dispense cash directly from the ATM tray. In almost all the attacks, the criminals specifically chose NCR ATMs. The malware exploits a fundamental flaw in the ATM application communication with the ATM cash dispenser. The attack methodology did not require communication with the ATM switch (no activity over the ATM network) and that allowed the attackers to dispense cash amounts of their choice. This constitutes a critical attack for financial institutions.

Top 3 cyberattacks in 2022

Technical

Most of the ATMs around the world use CEN/XFS (eXtensions for Financial Services) as standard architecture for client-server financial applications for Microsoft Windows. XFS provides the API to interact with the ATM hardware. Therefore, it can also be used to interact with the ATM’s cash dispenser. Moreover, several XFS exploration tools, like XFSC, are available to the public. This allows anybody with command execution on an ATM to dispense cash.

Attack Methodology

To conduct a successful attack, the attacker must gain physical access to the ATM’s hardware and insert a USB device containing the malware. As ATMs usually run in lockdown mode, the execution of any application directly would be nearly impossible. However, the attackers utilized a Hiren’s Bootable USB to reboot the ATM with a customized OS and then executed their malware. This, in essence, bypasses all OS-specific security controls on the ATM.

Malware Details

The criminals used two separate pieces of malware alternatively. The first one (NCRApp.exe) requires the attacker to execute it manually. However, the other one (hello.exe) is automated and only dispenses cash from the first cassette (usually contains the highest value bills). Both pieces of malware, in fact, are XFS managers that, upon execution, load the XFS DLL provided by NCR (along with the legitimate application) to connect to the Cash Dispenser module.
 The execution flow of NCRApp.exe can be seen below:

The other malware, hello.exe, has a different flow. Although it uses the same XFS DLL provided by NCR, it checks whether it is running on an NCR ATM or on any other, before performing the cash dispensing operation.

Indicators of Compromise

In March, North Korean hacking collective Lazarus perpetrated the second-largest crypto hack in history. $615 million of digital assets were stolen from Ronin, the blockchain platform that supports popular NFT-based game Axie Infinity. The hackers exploited the platform’s bridge service, which allows users to move assets from one blockchain to another.

Alarmingly, the attack went unflagged for several days, indicating a lack of basic security monitoring.

Tactics, Techniques and Procedures

Outlook

While analyzing the malware, it was observed that the capabilities and characteristics, especially thePDBPath“C:\_bkittest\dispenser\Release_noTok en\dispenserXFS.pdb” and the compile timestamp “Sun Feb 10 18:13:13 2019 | UTC” of hello.exe overlapped with the findings published by Group-IB against Silence Group back in 2019. “NCRApp.exe” is the ATM Jackpotting malware known as “ALICE” or “Project ALICE”.

Instead of getting a response in the generated TIFF file, we decided to exfiltrate the response. The solution seems very simple. At this stage, we knew that we can execute JS code at the server-side, so we can make XHR requests to get the AWS credentials, and send them to our server. We sent another fax with an attachedHTML file containing the following code:

This could potentially be an indicator of one of two possibilities with huge impact; either the Silence Group had hired money mules in the South-Asian region to expand its operations or a totally distinct group in the same region had got a hold of the malware and was on the rise.

Organized ATM Jackpotting

Top 3 cyberattacks in 2022
Indicators of Compromise
Tactics, Techniques and Procedures
Outlook

Related Posts.

158 Years Lost to One Weak Password: A Cybersecurity Wake-Up Call

What happened: A ransomware gang infiltrated KNP’s network by exploiting a single weak password belonging to an employee.
Aug 05, 2025
3 Min Read

What Is Data Poisoning in AI? How It Works and How to Prevent It

With the growth in LLMs and machine learning, the adage "garbage in, garbage out" has taken on a new, more malicious meaning.
Aug 04, 2025
3 Min Read

Prompt Injection Attacks: A Growing Threat to Generative AI Systems

The explosive adoption of generative AI systems like ChatGPT, Claude, and Bard has transformed how enterprises build products.
Aug 01, 2025
3 Min Read

Your journey to better security doesn’t have to be complicated. We make it simple to get started. Whether you have a question, need a quote, or want expert advice just reach out.

Your email
Follow us on Socials
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
securenow@ebryx.com
+1 603-912-5385
Services
Managed SOC Services
Penetration Testing Services
Security R&D
Application Security
Cybersecurity Staff
Augmentation
Security GRC Services
Solutions
Essential Cyber Hygiene
ZTNA
VPN Replacement
Secure access to Enterprise Applications
Micro Segmentation
NAC Alternatives
Secure Cloud Access
Resources
Blogs
Case Studies
News and Update
About Us
Contact Us
Life at Ebryx
Locations
USA
389 Main Street, Unit 5, Salem, NH 03079
KSA
Building number 7644, Salah ud Din Ayubi road, king Abdul Aziz District Riyadh RHAA7644
Canada
401-417, Saint-Pierre Street, H2Y 2M4, Montreal, QC
Cookie Policy        |        Privacy Policy        |   Information Security Policy
© 2008-2025 Ebryx, All rights reserved