Tyupkin Malware used to drain millions from ATMs

Tyupkin Malware used to drain millions from ATMs

Video Thieves are using malware dubbed Tyupkin to empty cash machines and make off with millions of dollars, we’re told.

The hackers don’t need to use stolen or cloned cards. Instead, fraudsters infect the ATM’s on-board PC, and then later type a unique combination of digits on the PIN keypad to drain the machine of banknotes, according to researchers at Kaspersky Lab.

Experts were called in by a financial institution to investigate the disappearance of cash from its ATMs around the world. During this probe, the researchers discovered a piece of malware installed on the machines (Tyupkin) that allowed criminals to loot the devices. Some 50 infected ATMs were found in eastern Europe. Policing agency Interpol is now involved.

A video showing this attack, which has apparently netted “millions of dollars”, as show below.

In order to install the malicious backdoor, someone needs to physically insert a bootable CD which installs the Tyupkin malware.

Once the machine is rebooted, the ATM is under the control of the criminal gang. The sophisticated malware then runs in the background on an infinite loop awaiting a command from the attacker’s side. However, the malware will only accept commands at specific times – in this case on Sunday and Monday nights – making it harder to detect.
Furthermore, a unique combination key based on random numbers is generated – so that the possibility of a member of the public accidentally entering a code can be avoided. This key code needs to be entered before the main menu is shown.

“The malicious operator receives instructions by phone from another member of the gang who knows the algorithm and is able to generate a session key based on the number shown,” Kaspersky stated in its release. “This ensures that the mules collecting the cash do not try to go it alone.”

When this session key is entered correctly, the ATM displays details of how much money is available in each cash cassette, inviting the operator to choose which cassette to steal from, and the number of available banknotes – the ATM dispenses a maximum of 40 at a time from the chosen cassette.

Related posts

Popup Builder Plugin Flaw Exploited To Infect WordPress Sites

Pipidae – the latest malware to take over the Mac ecosystem

Unmasking the Multi-Stage AiTM Phishing and BEC Attack on Financial Institutions