ALICE: Simplicity for ATM Jackpotting

ATM malware is clearly a hot topic and a big concern nowadays for the banking industry, with the number of attacks rapidly growing and targeting all countries and regions.
On recent posts we have described a new wave of sophisticated orchestrated attacks, where the internal network of the financial institution has been compromised to conduct network-based attacks on the ATM infrastructure. Such techniques have become predominant in the second half of 2016, with some notorious examples like the RIPPER malware hitting a national ATM network in Thailand, or the COBALT organized cyber criminal group attacking ATMs in more than a dozen countries in Europe.
While the trend is now for network-based attacks, there is also space for simplicity and the more traditional physical access-based attacks, as unveiled by researchers from the security firm TrendMicro in collaboration with Europol EC3 group, who have recently discovered a new malware family dubbed ALICE.
ALICE is a very focused and light malware family used for ATM jackpotting, that is, a cybercriminal technique designed to steal huge amounts of money in cash from an ATM without having to use a credit or debit card. According to the researchers ALICE is a completely new malware family that stands out for its simplicity. It does not target sensible data like card numbers and pins, only interacts with the ATM dispenser and is solely controlled from a keyboard.
No information has been disclosed as to the specific countries or entities being attacked by ALICE, but for sure it is a new risk in the wild that can hit any country or region anytime.

ATM Jackpotting using ALICE Malware

ATM jackpotting, or the use of malware to “cash-out” ATMs, is nowadays one of the trendiest ATM cybercrime tactics. It is used by the criminals to gain full control of the ATM hardware devices like dispenser, card reader and pinpad, allowing them to steal huge amounts of money in cash without having to use a credit or debit card.

Although jackpotting is nothing new, and there are some well-known malware families using similar techniques (Tyupkin, Padpin, Greendispenser, RIPPER…), ALICE is a brand new malware family that stands out for its simplicity.



This is how the ALICE ATM Jackpotting attack works:

  • Criminals gain physical access to ATMs core CPU by means of breaking the top-box or using front-cover keys.
  • Once physical access is gained they leverage access to the USB ports or CDROM drive to infect the ATM with the malware. They also connect a standard keyboard to be able to operate it.
  • ALICE is an executable that can be run manually, and typically it is masqueraded by replacing the legitimate Windows Task Manager (taskmgr.exe). Before launching its GUI it performs some sanity checks to make sure it is running on a proper XFS (Extensions for Financial Services) environment, that is, a true ATM irrespective of the actual make and model (ALICE is a multi-vendor malware).
  • Once launched, ALICE takes control of the ATM, displaying a custom GUI asking for an authorization code, to guarantee control of the mule.
  • If authorization is granted, ALICE uses the XFS API to interact with the ATM dispenser, allowing the cybercriminal to issue multiple dispensing commands until the cash cassette is emptied (note that many ATMs have a 40-note dispensing limit). ALICE only interacts with the ATM dispenser and is controlled from the keyboard, it does not make use of the ATM pinpad.
  • Finally, after the “cash-out” is completed, ALICE provides with a cleanup/uninstall mechanism to remove any traces of the attack; although, by mistake it seems, the uninstall process does not remove the error log file.


Security Measures against ATM Malware

Malware attacks are one of the biggest concerns in ATM fraud. Cyber criminals are extremely agile and innovative in producing new types of ATM logical attacks, since they are far less risky and much more profitable than traditional physical attacks, but they are also helped by the very poor security measures currently deployed on many ATM networks.

Every ATM is exposed to malware attacks and therefore, the application of robust and efficient security countermeasures becomes a basic and non-negotiable necessity.

Effectively managing the security of an ATM network requires a comprehensive protection model that would prevent execution of fraudulent software (Application Whitelisting), block attempts to replace legitimate files (File Integrity Protection), prevent connection of untrusted hardware (HW Protection) and avoid manipulation of hard disk data from outside the operating system (Full Disk Encryption). Additionally, it is critical to monitor security aspects of the ATM machines, having a centralized view of the ATM network, while adding an extra control layer allowing to run custom remote actions to investigate or react to potential incidents.



Blocking an ATM attack with ALICE

In the case of the ALICE attacks, HW Protection would block the attacker’s attempt to connect external USB or keyboard devices, while Full Disk Encryption would avoid manipulation of hard disk data from outside the operating system (through external CDROM booting). These protection measures would then abort the attack in the infection phase.

Even if the ATM would have been infected with ALICE, File Integrity Protection would prevent ALICE from masquerading itself by replacing the legitimate taskmgr.exe file. And in case the malware is copied as a new executable, then Application Whitelisting would avoid it to run.

Furthermore, continuous monitoring of the ATM would alert of suspicious activities, like ATM disconnections or reboots, and the ability to run remote custom actions would help to quickly and remotely identify and clean the infected ATMs, without the need to deactivate them to physically send technicians on-site to perform this job.



S21sec Approach to ATM Security

S21sec has extensive expertise in the development of solutions adapted to the needs of the banking industry. Its product Lookwise Device Manager is an integrated multivendor security solution to manage the security of ATM networks, providing the most advanced set of countermeasures to block the new generation of targeted attacks based on malware. It also allows to monitor security aspects of the ATM machines, adding an extra control layer to run custom remote actions for forensic investigations, all with minimal consumption of resources, thus limiting the impact on the performance of the ATM.

S21sec also provides specialized and advanced security services for financial organizations.

We are members and sponsors of the main ATM industry associations, like ATMIA and ATEFI.

For further information please contact us.




Security Affairs
Blog TrendMicro




S21sec Product Marketing Manager


Deja un comentario