Financial institutions around the world experience billions of dollars of losses annually due to ATM attacks. This problem only continues to worsen given the development of new ATM malware that takes advantage of the physical and digital components of an ATM. The latest malware in this trend is FiXS, which is currently targeting Mexican banks.
What’s happening?
The initial attack vector is not known yet, however, Metabase Q researchers anticipate that the malware requires interaction with the ATM via touchscreen via an external keyboard.
- This Windows-based malware is vendor-agnostic. It can infect any teller machine that supports CEN/XFS (short for extensions for financial services).
- It comes embedded in a dropper containing the necessary XFS APIs to control the ATM dispenser. To decode the embedded malware, XOR instructions are used and the key is changed in every loop via the decode_XOR_key() function.
- The dropper further sets the name equal to the dropper one as conhost[.]exe and finally, FiXS is launched via a Windows API.
Malware characteristics
FiXS does not come with a rich interface. It runs in an infinite loop and requires the user to punch in the right combination of keys to display further details or perform actions.
- For instance, to display the details about cash units, the user needs to press M (to show the display window), followed by A.
- For money dispensing, it waits for the Cassettes to be loaded first. Next, it goes to the next peripheral in the list and instructs the ATM to dispense money in 30 minutes after the last ATM reboot.
- The malware resource contains Russian metadata that suggests the origin of this piece of malware. Moreover, it has code and functionality similarities with other ATM malware such as Ploutus and Ripper.
Conclusion
It is important that banks and financial institutions keep sight of all the threats in their environment to avoid cyberattacks. They are suggested to review security around the ATM machine, ensuring it is secure from such malware installations. It is key that they constantly investigate and anticipate the maneuvers of criminals, who never stop developing new methods to violate the computer systems of ATMs.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/2ad9_shutterstock_2130873356.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/002d_shutterstock_1394052911.jpg)
