Security experts Yoroi announced emergence of a new JavaScript malware that uses the XFS (EXtension for Financial Service) API to withdraw money at ATMs.
Attacks of this type are also called jackpotings – the attackers force the device to “spit out” the bills.Experts noted that this is a very specific malware that cybercriminals used in attacks on the banking sector.
Researchers have found a link between the analyzed sample and recent cyber operations by supposed attackers.
“This ATM-malware does not rely on standard communication interfaces, on the contrary, used specific techniques that indicate a good level of customization. It is possible that cybercriminals received insider information from attacked financial institutions”, – Yoroi experts explain.
Once in the ATM system, the malware performs a series of checks — for example, the correctness of the Java Virtual Machine (JVM) operation — and then raises the HTTP server, which acts as an interface between the attacker and the target ATM.
In the malware is hard-coded an IP address 150.100.248 [.] 18, which is required in the later stages of the attack. Using simple HTTP requests, an attacker can activate individual malware features.
Read also: Magento fixed bugs that allowed taking control of the web store
Most malicious actions are done with javascript code. It helps attackers withdraw all cash from the ATM. In the case of a successful attack, the malware sends relevant information to the above address 150.100.248 [.] 18.
What distinguishes this program from its counterparts, while making it more dangerous, is the ability to remotely execute batch commands.
“At the moment it’s not clear how the technical information required to develop ad hoc malware have been accessed. A wide range of scenario are possible, such as the involvement of an insider, the long term compromise of the whole target network or just a small subset of mailboxes, or maybe a compromise of the Software Development Supply Chain. A set of scenarios that need to be seriously taken into account by the financial and banking organizations aiming to tackle modern bank thieves”, — warn Yoroi experts.