Professional Documents
Culture Documents
Tyupkin ATM Malware Analysis
Tyupkin ATM Malware Analysis
inShare
48
Ethical Hacking Boot Camp OUR MOST POPULAR COURSE!
CLICK HERE!
Skillset What's this?
Malware
Introduction
Some time ago, Kaspersky discovered and reported a new type of malicious
program called Tyupkin, which targets ATM machines by moving beyond
targeting consumers with card skimmers that steal debit card numbers to
directly getting cash from an ATM without the need for a counterfeit or stolen
card.
At the heart of the Tyupkin exploitation of ATMs is the simple fact that it
requires physical access to an ATM. The attacker would need a bootable CD
to install the malware in the ATM. Because of this, physical security elements
should be seriously taken into consideration.
Here are the basic steps of how this malware performs its attack:
It is only active at specific times of the night on certain days of the week,
between Sunday and Monday 1:00 to 5:00.
There is a hidden window running the malware in the background. When the
user enters the right key in the keypad, it displays the program interface,
then it generates a key based on a random seed. Of course, the algorithm
responsible for this operation is known only by the authors of the malware to
prevent anyone from interacting with the ATM.
When the correct key is entered, it leads to the process to take money off the
net.
WOSA/XFS Overview
First and foremost, let me give you a brief overview of whats related to
banking technology.
The WOSA XFS incorporates the definition of a further API and corresponding
set of SPIs. The specification defines a standard set of interfaces such that,
for example, an application that uses the API set to communication with a
particular service provider can work, without need for enhancement, with
another vendors service provider as long as that vendor is WOSA XFS
compliant.
Although the WOSA XFS defines a general architecture for access to service
providers from Windows based applications, the initial focus has been on
providing access to peripheral devices that are unique to financial
institutions, such as ATMs. Since these devices are often complex, difficult to
manage, and proprietary, the development of a standardized interface to
them offers financial institutions immediate gains in productivity and
flexibility.
WOSA XFS changed its name to simply XFS when the standard was adopted
by the international CEN/ISSS standards body. However, it is most commonly
called CEN/XFS by the industry participants.
Coming back to Tyupkin, this malware uses the WOSA/XFS or CEN/XFS which
different hardware vendors comply with. As far as we are concerned, they get
their hands on some manual references that contain detailed information on
how to interact with the ATM. We have found XFS specification papers
released by CEN which we will use along this analysis to understand the XFS
architecture. We have seen also some leaks on Baidu search engine
published by F-Secure, but we are not sure that it was the ones used by
cybercriminals.
WOSA/XFS Architecture
The applications communicate with service providers via the Extensions for
Financial Services Manager using the API set.
The XFS Manager provides overall management of the XFS subsystem. The
XFS Manager is responsible for mapping the API (WFS) functions to SPI
(WFP) functions, and calling the appropriate vendor-specific service
providers. Note that the calls are always to a local service provider.
Each XFS service for each vendor is accessed via a service-specific module
called a service provider. For example, vendor As journal printer is accessed
via vendor As journal printer service provider, and vendor Bs receipt printer
is accessed via vendor Bs receipt printer service provider.
Technical Analysis
SHA256:
b670fe2d803705f811b5a0c9e69ccfec3a6c3a31cfd42a30d9e8902af7b9ed80
As you can see, MSXFS.DLL is our dll from Microsoft which contains the
function calls to the API and SPI.
After the sample run, it sleeps for 10 minutes to evade anti-malware tools:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Apt
raDebug
Make a copy of itself in C:\WINDOWS\system32\ulssm.exe, I am not totally
sure about this, strings are obfuscated and I could not decrypt them
manually, I tried de4net but it failed.
A service handle (hService) is assigned to the session, and is used in all the
calls to the service in the lifetime of the session. Finally, when an application
no longer requires the use of a particular service, it issues a WFSClose.
After successfully preparing the XFS service manager, the malware start two
threads, and if it fails it just deletes the bin silently and exits.
If bAutoEnd is set to true, the service provider terminates the command when
the maximum number of digits is entered. Otherwise, as our case, the input is
terminated by the user using one of the termination keys. When usMaxLen is
reached, the service provider will disable all numeric keys.
The third and fourth parameters are not important for us. uTerminateFDKs
Specifies those FDKs which must terminate the execution of the command. In
our case, this value is equal to 0x400, which is the ENTER key: #define
WFS_PIN_FK_ENTER
(0x00000400)
#define
WFS_SUCCESS
(0)
#define
WFS_ERR_NOT_STARTED
(-39)
Finally, it calls the function scenario (), and depending on which key sequence
has been taped on the PINP AD, Tyupkin does the following:
After the user enters the cassette number and presses enter, it calls
getDecimalNumberFromPINFKDigit to convert the number entered to an
integer, then it verifies if it is bigger than 1 and smaller than the total number
of cassettes and calls executeDispense, which in turn calls WFSExecute with
WFS_CMD_CDM_DISPENSE, then calls getCashUnitInfo/getCashUnitInfo which
calls WFSGetInfo (retrieves information from the specified service provider) to
get information related to each cassette and how much income there is on it.
Ploutus malware has been shown to be before, and Tyupkin is now a concrete
weakness in the ATM infrastructure. Also the fact that many ATMs run
unsupported OS like Windows XP and the absence of security solutions is
another problem that needs to be addressed urgently. My recommendation
for the banks is to review the physical security of their ATMs and their
employers (insiders?).
Indicators of compromise: