Update This story was updated Aug. 31. A never-before-seen malware family known as RIPPER is being blamed for a rash of ATM heists in Thailand last week. The malware, found by researchers at FireEye, is responsible for the theft of 12 million baht ($378,000) from ATMs at banks across Thailand.
The discovery of the malware coincided with news reports from the Bangkok Post newspaper of ATM robberies by cybercriminals. While law enforcement agencies in Thailand have not attributed the theft to the RIPPER malware, FireEye said on Friday it believes it is the same.
The attacks “strongly suggest this piece of (RIPPER) malware is the one used to steal from the ATMs at banks in Thailand,” Daniel Regalado, senior staff malware researcher at firm, wrote in a blog post.
Attackers are able to penetrate targeted ATMs with a specially crafted EMV (EuroPay, MasterCard and Visa) chip-enabled ATM card. The card serves as an authentication mechanism that interacts with the RIPPER malware that already exists on the ATM. “Once a valid card with a malicious EMV chip is detected, RIPPER will instantiate a timer to allow a thief to control the machine,” Regalado writes. During the same ATM card session, attackers use the ATM’s pinpad display to send a combination of commands that trick the ATM into dispensing currency.
It’s unclear if the money withdrawn is from the banks in question or from a bank customer’s account. But attackers are restricted to 40 banknotes per withdrawal, limiting the amount stolen from each ATM interaction.
While RIPPER is new, the technique used by the malware has been seen before, particularly by the Skimmer family of ATM attacks, which date back to 2013. Cybercriminals have been reusing a more evolved version of the Skimmer malware, according to research released by Kaspersky Lab in May.
According to FireEye, RIPPER is different from Skimmer in the sense that it relies on a specially manufactured ATM with an EMV chip to authenticate with infected ATMs.
Analysis of RIPPER showed the malware targets three types of Windows-based ATMs. The malware first disables the ATM’s network connection and then kills the “dbackup.exe” process and replaces the original “dbackup.exe” with its own, along with other key components of the ATM software.
“RIPPER will examine the contents of directories associated with the targeted ATM vendors and will replace legitimate executables with itself. This technique allows the malware to maintain the legitimate program name to avoid suspicion,” Regalado wrote.
RIPPER maintains persistence on the ATM by adding itself to Windows’ “RunFwLoadPm” registry key, passing the “/autorun” parameter that is understood by the malware.
“Once the thieves start interacting with RIPPER, they enter instructions via the pinpad and multiple options are displayed, including methods for dispensing currency,” according to Regalado.
Once attackers have finished their heist, RIPPER hides itself by calling the ShowWindow GUI API. The ATM’s network stays disabled, preventing the ATM to communicate with the rest of the bank’s network.
The firm didn’t specify which ATM vendors are vulnerable to attacks but said: “This malware family can be used to compromise multiple vendor platforms and leverages uncommon technology to access physical devices.”
The Bangkok Post reported that the ATMs were made by NCR with 21 ATM attacks reported between the dates of July 9 and August 23.