Ebryx forensic analysts have identified an organized criminal group in the South-Asian region utilizing an ATM malware to dispense cash directly from the ATM tray. In almost all the attacks, the criminals specifically chose the NCR ATMs as the malware exploits a fundamental flaw in how the ATM application communicates with the ATM cash dispenser. The fact that this attack methodology does not require communication with the ATM switch (no activity over the ATM network) and that the attackers can dispense the cash amount of their choice makes this attack very critical for the financial institutions.
Table of Contents
Technical
Most of the ATMs around the world use CEN/XFS (eXtensions for Financial Services) as the standard architecture for developing their client-server financial applications for Microsoft Windows. XFS provides the API to interact with the ATM hardware and therefore, it can be used to interact with the ATM’s cash dispenser as well. Moreover, several XFS exploration tools like XFSC are available to public allowing anybody having command execution on an ATM to attempt to dispense cash.
Attack Methodology
To conduct a successful attack, the attacker must gain physical access to the ATM’s hardware and insert a USB device containing the malware. As the ATMs usually run in the lockdown mode, the execution of any application directly would be nearly impossible. However, the attackers utilized a Hiren’s Bootable USB to reboot the ATM with a customized OS and then executed their malware. This in essence bypasses all the OS-specific security controls on the ATM.
Figure 1 – Flow of ATM Jackpotting
Malware Details
The criminals use two separate pieces of malware alternatively. The first one (NCRApp.exe) requires the attacker to execute it manually however the other one (hello.exe) is automated and only dispenses cash from the first cassette (usually contains the highest value bills). Both pieces of malware in fact are XFS managers that, upon execution, load the XFS DLL provided by NCR (along with the legitimate application) to connect to the Cash Dispenser module.
The execution flow of NCRApp.exe can be seen below:
The other malware, hello.exe, however has a different flow. Although it uses the same XFS DLL provided by NCR, it checks whether its running on an NCR ATM or any other prior to performing the cash dispensing operation.
Indicators of Compromise
NC.exe
MD5 0FE9CB3C5543066446BF35256BE6D075
SHA1 8A757300390B89DF6F0F57F69D5B90B064DD4544
SHA256 63EC784F9F661C40055543C80BCC1A8A296C071BA6126CCDDAAAC882D4EEC594
hello.exe
MD5 B2AD4409323147B63E370745E5209996
SHA1 15E8FAC9C9D5E541940A3C2782DF6196EC1E9326
SHA256 867991ADE335186BAA19A227E3A044C8321A6CEF96C23C98EEF21FE6B87EDF6A
NCRApp.exe
MD5 F1478AA747A976FB2AD526FA71ECA853
SHA1 4292DF415C11F4155E8910EBCDE8BD2DA24E4426
SHA256 04F25013EB088D5E8A6E55BDB005C464123E6605897BD80AC245CE7CA12A7A70
PDB Path
C:\_bkittest\dispenser\Release_noToken\dispenserXFS.pdb
Registry Keys
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Amigo
%SYSTEMDRIVE%\NCR32\NCRApp.exe
YARA Rules
Yara rules to detect the ATM Jackpotting malware can be found at our GitHub repository.
Tactics, Techniques and Procedures
Domain | ID | Name | Use | |
Enterprise | T1587 | 001 | Malware | The malware used in the attack is a custom developed XFS manager that uses the XFS DLL by NCR |
Enterprise | 1200 |
| Hardware Additions | The attackers gain physical access of the ATM to insert a USB device that contains the malware |
Enterprise | 1059 | 005 | Visual Basic | As soon as the SFX “NC.exe” is launched, it runs a VBS script containing multiple checks before executing the actual malware |
Enterprise | 1218 | 005 | MSHTA | The VBS script gets executed by utilizing mshta.exe |
Enterprise | 1059 | 003 | Windows Command Shell | As soon as the SFX “NC.exe” is launched, it runs a VBS script that runs several commands to ensure that only one instance of the malware is running |
Enterprise | 1204 | 002 | Malicious File | The attackers manually execute the malware on the ATM |
Enterprise | 1547 | 001 | Registry Run Keys / Startup Folder | The malware creates a registry RUN key named “Amigo” to maintain persistence on the ATM |
Enterprise | 1027 | 002 | Software Packing | The attackers packed the malware binaries using Delphi packer |
Outlook
While analyzing the malware, it was observed that the capabilities and characteristics, especially the PDB Path “C:\_bkittest\dispenser\Release_noToken\dispenserXFS.pdb” and the compile timestamp “Sun Feb 10 18:13:13 2019 | UTC” of hello.exe overlap with the findings published by Group-IB against Silence Group back in 2019. “NCRApp.exe” however is the ATM Jackpotting malware known as “ALICE” or “Project ALICE”.
This could potentially be an indicator of one of the two possibilities with huge impact; either the Silence Group has hired money mules in the South-Asian region to expand its operations or a totally distinct group in the same region has got hold of the malware and is on the rise.
