RIPPER malware plunders Windows-based ATMs

A new type of malware targeting automated teller machines is believed to have successfully dispensed bank notes illicitly in Thailand, with criminals making off with some 12 million baht (A$460,000).

Source: FireEye.

The RIPPER malware targets three types of unnamed Windows-based ATMs. Security vendor FireEye said it had obtained a sample of the malware just minutes before the money was stolen from banks in Thailand.

FireEye dubbed the malware RIPPER after it discovered a code project name, ATMRIPPER, in a sample submitted to Google's VirusTotal scanning service.

RIPPER running on infected ATMs is controlled through a specially-made ATM card with a EuroPay, MasterCard, or Visa (EMV) chip. The EMV chip is used to authenticate the malware to give thieves control of the ATM.

Commands identified by FireEye include the ability to disable the ATM's network connection to prevent communication with the bank, clean up log files, uninstall the RIPPER serivce, reboot the machine, and eject the card.

Security researcher Daniel Relagado told iTnews it wasn't clear how RIPPER infected ATMs.

Relagado said there are three main ways to infect an ATM: breaking into a bank’s network and finding the segment with the ATMs to be infected; paying someone with legitimate access to ATMs to help install the malware; or opening up the service part of the ATM with universal keys and installing malware via USB or CD-ROMs.

RIPPER enforces a limit of no more than 40 bank notes dispensed per withdrawal - the maximum limit allowed by the ATM vendors.

FireEye noted that RIPPER appears to be related to prior ATM malware such as Padpin or Tyupkin, which was used to empty Russian machines in 2014, as well as SUCEFUL and GreenDispenser.