Security researchers from Kaspersky have detected a new ATM malware called ATMii that targets only ATMs operating on Microsoft Windows 7 and Windows Vista.
The malware was first detected in April 2017 when one of the affected banks shared the malware with Kaspersky security researchers. The malware consists of two files, the exe.exe file, and the dll.dll file. In order to install the ATMii on ATMs, the attacker needs direct access to the target ATM (either over the network or physically) to install it.
According to Kaspersky:
“ATMii was first brought to our attention in April 2017, when a partner from the financial industry shared some samples with us. The malware turned out to be fairly straightforward, consisting of only two modules: an injector module (exe.exe, 3fddbf20b41e335b6b1615536b8e1292) and the module to be injected (dll.dll, dc42ed8e1de55185c9240f33863a6aa4). To use this malware, criminals need direct access to the target ATM, either over the network or physically (e.g. over USB). ATMii, if it is successful, allows criminals to dispense all the cash from the ATM.”
ATMii is yet another instance of how crooks can use legitimate proprietary libraries and a small piece of code to drain cash from an ATM. Some appropriate countermeasures against such attacks are default-deny policies and device control.