Analyzing ATM malware


Since a time ago, they are beginning to appear a new wave of malware targeting Automated Teller Machines (ATM): Backdoor.MSIL.Tyupkin, Backdoor.Padpin, the newer GreenDispenser, etc… All of them seem to be using the eXtensions for Financial Services (XFS) library to manage ATM. If you try to debug/analyze or you introduce a sample of these malware families into a Cuckoo sandbox, it won’t run because it will fail to load msxfs.dll.

The problem is that XFS seems to be a private library. Simulators and debug environments are private software, and expensive to buy. I have been not able to find a open source solution. For this reason i decided to implement a fake msxfs.dll. It will have the same exports than the original one. There isn’t enough documentation and it’s hard to create a perfect simulator dll, I tried to simulate the most typical commands that these malware families are using, for example for returning random digits from the pinpad when the trojan tries to recover them.

Here you can find fake msxfs.dll’s source code and binaries:

https://github.com/vallejocc/fake_msxfs

The code is quite simple, the most interesting function is WFSExecute. It is used by the trojan to recover the pinpad data. The fake msxfs.dll returns random data. Some of these ATM trojans wait for a code introduced by the pinpad to show its backdoored menu. For example GreenDispender calls continuously to WFSExecute with the command WFS_CMD_PIN_GET_DATA to recover the pinpad pressed keys. When the expected combination is introduced, it shows the trojan menu. The fake msxfs.dll returns random data, and after N calls to WFSExecute, the correct code is matched and the trojan’s menu is showed:

(Here you can find a detailed analysis of GreenDispenser and the sample of the video b7e61f65e147885ec1fe6a787b62d9ee82d1f34f1c9ba8068d3570adca87c54f).

Fake msxfs.dll could be used for debugging this type of trojans, or it could be added to Cuckoo sandbox machines for example, for, at least, getting these malware families running and the Cuckoo’s  behavioural logs.

Related links:

https://otx.alienvault.com/pulse/56043c0667db8c47d4cdfacb/

https://www.proofpoint.com/us/threat-insight/post/Meet-GreenDispenser

http://www.safensoft.com/archiv/n/819/1796

http://resources.infosecinstitute.com/hacking-atms-new-wave-malware/

http://security.blogoverflow.com/2012/08/exploiting-atms-a-quick-overview-of-recent-hacks/

https://securelist.com/blog/research/66988/tyupkin-manipulating-atm-machines-with-malware/

https://www.symantec.com/security_response/writeup.jsp?docid=2014-051213-0525-99&tabid=2

https://en.wikipedia.org/wiki/CEN/XFS

 

5 thoughts on “Analyzing ATM malware

  1. hi i can provide full virtualized whit real msxfs.dll and other xfs libraries and other Vendor libraries and API’s for the tree main ATM vendors, we will like to know if you can share the information of the PoC’s so we can find if our network has been compromised and response to this treads in our atm network..

    just write me and email so we can talk ..

    regards

    Liked by 1 person

  2. ¡Coolio! (notice the double question mark, please)

    Would be even better (great) if the post was a bit longer and a walk-through as how you reverese engineered “msxfs.dll”. (Hey, I don’t lose anything for asking… right?)

    Sigue así! 🙂 (ahora sólo 1)

    Liked by 1 person

    1. Thank you n30m1nd 🙂 I have not found the original msxfs.dll around internet, i think it is a private library. I have only found some header files related to this API. So i coded the fake dll based on the header files and reversing the GreenDispenser malware, trying to see what results it expected from the dll. I’ll update the post in the future with more technical details about the analysis of GreenDispenser 🙂

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s