NeoPocket: A new ATM malware

In Uncategorized

In 2013, during the late September the discovery of a new malware family – known as Ploutus – was announced. The malware was designed to attack a specific brand of ATM cash machines that were widely used in Mexico. Since then, the threat has evolve and new variants have been observed in different countries.

Recently we were requested to investigate a similar attack, where possibly ATM malware had been used to empty out cash machines. We expected it to be Ploutus, however there were several controversial facts. First of all, the compromised ATMs belonged to a different model than the one we saw in the case of Ploutus. Secondly, regarding to the obtained malware sample, there were no code similarities at the binary level when we compare it with Ploutus. Moreover, the newly identified malware was not even created in the same development environment as Ploutus had been.

After doing some research, we have come to a conclusion: we were dealing with an unclassified malware family, yet unknown to the public. We decided to internally refer to it as NeoPocket, borrowing the name from a character string spotted in the binary. In the following lines, we would like to give some technical insights about the internals of this new threat, NeoPocket.

Malware setup and activation

NeoPocket was developed in Visual Basic, and however we do not possess the original dropper or the installation media, most likely the infection vector origins from a USB drive and the attacker must have had physical access to the ATM  machines. There are other evidences that support the theory of the usage of an external drive, such as that the threat  accepts commands from an USB drive and it also always tests if the USB is  available on the infected system. It also checks whether it is being launched from the root directory, only in this case it would perform installation operations.

If executed from the root directory of any drive, it popups its installation dialog, requesting an activation code to enter:

The activation code needs to be given as a response to another number (in our picture is 7600519) in order to authorize the installation. The code is generated using the current date as seed:

If the code was correct , the malware verifies the presence of a few file locations that belong to the targeted ATM software:

When all checks are OK, the malware copies itself into the ATM software’s directory and creates the following files:

  • Casas.txt
  • devices2.ini
  • devicex.ini
  • borrar.exe

A registry key is created as well, in order to survive system reboot. The malware also tampers the ATM software’s configuration file, hijacking the default IpHost parameter:

All relevant communication between the ATM machine and the control host is then redirected through the port number 6000, where the threat listens and acts as a malicious proxy.

After a successful installation, it displays a notifying message:

The threat also has a timer function that is called periodically to ensure automatic access to the USB drive by constantly updating the Start value of the registry key SYSTEMCurrentControlSetServicesUSBSTOR

Information theft

The threat monitors windows captions looking for a specific content:

  • Escriba la clave ‘A’
  • Escriba la clave ‘B’
  • Enter the key ‘A’
  • Enter the key ‘B’
If any of the above is found, the malware activates its keylogger and the captured keystrokes then are written into two files casaA1.txt or casaB1.txt respectively (the digits in the filename may be incremental).
As mentioned earlier the malware hijacks the default TCP communication  in which relies the ATM’s software, by  modifying its *.ini file and redirecting traffic to port 6000:

This smart move allows the attacker to carry out a Man In The Middle attack.

As a result, all the information supposed to be going directly to the ATM’s software, now goes through on the malware’s filter function and logged into the file Casas.txt

Here is a table summarizing the files and their purpose relating with the malware’s activity:

Interaction and control

The way to interact with the malware is through the hijacked raw socket described in the previous point. It stores the data from transactions, as well as the user inputs may it come from the keyboard strokes or from touchscreen. 
The malware looks for patterns within the incoming data-stream. These patterns, work as valid commands to collect information and also to trigger additional functionality

Finally, the rest of the control is performed using the USB drive.

In this fashion, the creation some files with specific names in the root of drive is enough, as the when the malware detects them it will execute a series of default actions. The so called command are the following:


  • Physically harden  the entire ATM, do not just limit to the cash safety box. The ATM’s computer should be isolated as well, not allowing unauthorized access to its components, ports and slots. Periodically schedule integrity checks, especially after maintenance and routine checks have been performed.
  • Consider to install additional surveillance systems like CCTV, or increment the number of them.
  • Control USB and CD-ROM access at the BIOS level. Protect the BIOS with password..
  • Upgrade from Windows XP to a more recent version of the operating system (or choose an alternate OS), since we all know that support for Windows XP has ended. ATMs running Windows XP Embedded (Toolkit and Runtime) may be an exception to this as there is an extended support for them, however only until 12th of January, 2016.
  • Use third party solutions that provide real-time protections, such as Lookwise Device Manager for ATM

Sample MD5:  1a6a240d2d03eb2c66c17a6593d4b6d2

Jozsef Gegeny and Santiago Vicente

Recommended Posts

Leave a Comment