Tyupkin Malware Allows Hackers to Steal Millions From ATMs

Posted on October 08, 2014 by .

Share and Enjoy:
Follow Me on Pinterest More More

Hackers are attacking ATMs in Europe, Asia and Latin Amerika, using the Tyupkin malware and cash-collecting mules. The losses amount to millions of dollars.

The Kasperski Lab Research Team has reported a remarkable growth in ATM attacks using malicious software and skimming devices over the last few years. Things are now evolving, and hackers are attacking financial institutions by compromising ATM machines directly or by setting APT attacks against banks.

The Night Attacks of Tyupkin Malware

The ATMs, targeted by Backdoor.MSIL.Tyupkin that Kaspersky Lab has detected, run Microsoft Windows 32 bit and are produced by a major ATM manufacturer. To avoid detection, Tyupkin is active only during certain hours at night and uses a key that is based on a random seed for each individual session. This key is crucial for the interaction with the infected ATM. As the key is entered, Tyupkin shows information about the available amount of money in each cassette. This lets the attacker withdraw 40 notes from the cassette that he has selected. Reportedly, there are anti-emulation and anti-debug techniques implemented in the latest version of the malware.

Tyupkin is installed via a bootable CD, once the attacker gains access to the machine. The malware accepts commands only on certain days and hours which are consistent with the visits of the cash-collecting mules. In order to avoid unwanted attention, the withdrawals take place on Sunday and Monday nights. A video from security cameras shows that the person who collects the money calls another team member to acquire the key, needed to perform the operation. The “operator” uses an algorithm to generate the session key. Only if the key is entered correctly, the hacker can interact with the compromised ATM.

The following message is then displayed:

“CASH OPERATION PERMITTED. TO START DISPENSE OPERATION – ENTER CASSETTE NUMBER AND PRESS ENTER.”

In case the entered key is incorrect, the Tyupkin malware disables the local network. The exact reason for this action is still not clear, but experts believe its purpose is to disrupt remote investigations.

INTERPOL is investigating the case, working on the detection and elimination of the threat.

Popularity: 14%


Leave a Reply

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word