Tuesday, September 29, 2015

Analyzing ATM malware

Since a time ago, they are beginning to appear a new wave of malware targeting Automated Teller Machines (ATM): Backdoor.MSIL.Tyupkin, Backdoor.Padpin, the newer GreenDispenser, etc… All of them seem to be using the eXtensions for Financial Services (XFS) library to manage ATM. If you try to debug/analyze or you introduce a sample of these malware families into a Cuckoo sandbox, it won’t run because it will fail to load msxfs.dll.


The problem is that XFS seems to be a private library. Simulators and debug environments are private software, and expensive to buy. I have been not able to find a open source solution. For this reason i decided to implement a fake msxfs.dll. It will have the same exports than the original one. There isn’t enough documentation and it’s hard to create a perfect simulator dll, I tried to simulate the most typical commands that these malware families are using, for example for returning random digits from the pinpad when the trojan tries to recover them.

Here you can find fake msxfs.dll’s source code and binaries:

https://github.com/vallejocc/fake_msxfs

The code is quite simple, the most interesting function is WFSExecute. It is used by the trojan to recover the pinpad data. The fake msxfs.dll returns random data. Some of these ATM trojans wait for a code introduced by the pinpad to show its backdoored menu. For example GreenDispender calls continuously to WFSExecute with the command WFS_CMD_PIN_GET_DATA to recover the pinpad pressed keys. When the expected combination is introduced, it shows the trojan menu. The fake msxfs.dll returns random data, and after N calls to WFSExecute, the correct code is matched and the trojan’s menu is showed:

(Here you can find a detailed analysis of GreenDispenser and the sample of the video b7e61f65e147885ec1fe6a787b62d9ee82d1f34f1c9ba8068d3570adca87c54f).

Fake msxfs.dll could be used for debugging this type of trojans, or it could be added to Cuckoo sandbox machines for example, for, at least, getting these malware families running and the Cuckoo’s behavioural logs.

Related links:

https://otx.alienvault.com/pulse/56043c0667db8c47d4cdfacb/

https://www.proofpoint.com/us/threat-insight/post/Meet-GreenDispenser

http://www.safensoft.com/archiv/n/819/1796

http://resources.infosecinstitute.com/hacking-atms-new-wave-malware/

http://security.blogoverflow.com/2012/08/exploiting-atms-a-quick-overview-of-recent-hacks/

https://securelist.com/blog/research/66988/tyupkin-manipulating-atm-machines-with-malware/

https://www.symantec.com/security_response/writeup.jsp?docid=2014-051213-0525-99&tabid=2

https://en.wikipedia.org/wiki/CEN/XFS

No comments:

Post a Comment