Lock Picking — How To Open Device-Specific ATM Malware

Lock Picking — How To Open Device-Specific ATM Malware

The financial and retail sectors have been plagued with device-specific malware targeting POS and ATM machines. This article is a primer on ATM “jackpotting” software, malware written to exist solely on cash machines. 

Dark Market ATM Malware

Recently there has been some industry coverage of Cutlet Maker, ALICE and ATMii “jackpot”malware. A look at a dark market advert for Cutlet Maker, promoted by Band1T, sheds some interesting light on how these attacks actually work.

Device-Specific ATM Malware

One thing that seems consistent across this strain of jackpot malware is the requirement for physical access to the ATM’s USB port. Laughing, I pigeonholed this type of threat in the “could only happen in Russia” bucket. However, after reviewing one of the videos promoting Cutlet Maker, it appears that gaining physical access might not be as hard as I’d thought.

In the video, the thief inserts a knife into the faceplate at the top of the ATM, flicks it out, and exposes USB port.

Device-specific ATM malware

Using a special tool, like a screwdriver with a USB soldered to it, in order to reach the USB port at the back of the machine via the hole in the exposed front of the panel, the thief then inserts the USB stick, and waits for the Cutlet Maker software to launch and the user interface to appear on the screen.

Device-Specific ATM Malware 2

Several moments later, cash is delivered. The thief goes to the trouble of blurring out the exact type of cash at the bottom of the final image, but its look a bit like Moldovan Leu.

Cutlet Maker software

There have been several high-profile organized ATM heists over the past few years. The only limiting factor seems to be the logistical barrier of an ATM only being able to deliver a maximum of 40 notes in any single dispensing. Breaches of this nature have been reported in Thailand, Taiwan, and Russia. The only clue in the Russian breach, which netted the criminals $800,000 in one night, was a line in the log file of the ATM, saying “Take the Money Now,” a phrase also seen in the Tyupkin strain of ATM malware.

ATM log file take the money

Now you know the basics of how criminals are able to gain access to the USB port on an ATM machine and use it to implant malware that delivers cash. To find out more about the inner workings of a specific strain of ATM malware, Tyupkin, please read our “Take The Money Now!” blog post.

Andy Norton

Andy Norton

Andy has been involved in cyber security best practice for over 20 years, specializing in establishing emerging security technologies at Symantec, Cisco and FireEye. In that time, he has presented threat and intelligence briefings for both Bush and Obama administrations, The Cabinet office, the Foreign and Commonwealth office, SWIFT, Swiss National Bank, Prudential Regulation Authority, the Bank of England, The Hong Kong Monetary Authority and NASA. Returning to Europe from Asia in 2011, he has spent the past 5 years helping many of the FTSE 250 companies measure, manage and respond to cyber incidents.
Andy Norton

Latest posts by Andy Norton (see all)