Cybercriminals use new JavaScript malware to attack ATMs

Security experts Yoroi announced emergence of a new JavaScript malware that uses the XFS (EXtension for Financial Service) API to withdraw money at ATMs.

Attacks of this type are also called jackpotings – the attackers force the device to “spit out” the bills.

Experts noted that this is a very specific malware that cybercriminals used in attacks on the banking sector.

Researchers have found a link between the analyzed sample and recent cyber operations by supposed attackers.

“This ATM-malware does not rely on standard communication interfaces, on the contrary, used specific techniques that indicate a good level of customization. It is possible that cybercriminals received insider information from attacked financial institutions”, – Yoroi experts explain.

Once in the ATM system, the malware performs a series of checks — for example, the correctness of the Java Virtual Machine (JVM) operation — and then raises the HTTP server, which acts as an interface between the attacker and the target ATM.

In the malware is hard-coded an IP address 150.100.248 [.] 18, which is required in the later stages of the attack. Using simple HTTP requests, an attacker can activate individual malware features.

Read also: Magento fixed bugs that allowed taking control of the web store

Most malicious actions are done with javascript code. It helps attackers withdraw all cash from the ATM. In the case of a successful attack, the malware sends relevant information to the above address 150.100.248 [.] 18.

What distinguishes this program from its counterparts, while making it more dangerous, is the ability to remotely execute batch commands.

“At the moment it’s not clear how the technical information required to develop ad hoc malware have been accessed. A wide range of scenario are possible, such as the involvement of an insider, the long term compromise of the whole target network or just a small subset of mailboxes, or maybe a compromise of the Software Development Supply Chain. A set of scenarios that need to be seriously taken into account by the financial and banking organizations aiming to tackle modern bank thieves”, — warn Yoroi experts.

A full technical analysis of this malware can be found on the Yoroi blog.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button