{
	"id": "447b3dc3-603f-4253-9346-e8c9af986b89",
	"created_at": "2026-04-06T00:10:13.636253Z",
	"updated_at": "2026-04-10T03:21:53.182088Z",
	"deleted_at": null,
	"sha1_hash": "634be62fe2d04e87745513d7788f86bb1b9f6372",
	"title": "Meet GreenDispenser: A New Breed of ATM Malware | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 115827,
	"plain_text": "Meet GreenDispenser: A New Breed of ATM Malware | Proofpoint US\r\nBy September 24, 2015 Thoufique Haq\r\nPublished: 2015-09-22 · Archived: 2026-04-05 14:48:01 UTC\r\nBy Thoufique Haq\r\nOn the heels of recent disclosures of ATM malware such as Suceful [1], Plotus [2] and Padpin [3] (aka Tyupkin),\r\nProofpoint research has discovered yet another variant of ATM malware, which we have dubbed GreenDispenser.\r\nGreenDispenser provides an attacker the ability to walk up to an infected ATM and drain its cash vault. When installed,\r\nGreenDispenser may display an ‘out of service’ message on the ATM -- but attackers who enter the correct pin codes\r\ncan then drain the ATM’s cash vault and erase GreenDispenser using a deep delete process, leaving little if any trace of\r\nhow the ATM was robbed.\r\nDeployment and Operation\r\nInitial malware installation likely requires physical access to the ATM, raising questions of compromised physical\r\nsecurity or personnel. Once installed, GreenDispenser is similar in functionality to Padpin but does exhibit some unique\r\nfunctionality, such as date limited operation and a form of two-factor authentication.\r\nSpecifically, GreenDispenser like its predecessors interacts with the XFS middleware [4], which is widely adopted by\r\nvarious ATM vendors. The XFS middleware allows software to interact with the peripherals connected to the ATM such\r\nas the pinpad and the cash dispenser by referencing the specific peripheral name. GreenDispenser has the ability to\r\ntarget ATM hardware from multiple vendors using the XFS standard. It achieves this by querying for peripheral names\r\nfrom the registry hive before defaulting to hardcoded peripheral names.\r\nThe malware strains Proofpoint inspected were coded to run only if the year was 2015 and the month was earlier than\r\nSeptember, suggesting that GreenDispenser was employed in a limited operation and designed to deactivate itself to\r\navoid detection. Furthermore, GreenDispenser employs authentication using a static hardcoded PIN, followed by a\r\nsecond layer of authentication using a dynamic PIN, which is unique for each run of the malware. The attacker derives\r\nthis second PIN from a QR code displayed on the screen of the infected ATM. We suspect that the attacker has an\r\napplication that can run on a mobile phone with functionality to scan the barcode and derive the second PIN -- a two-factor authentication of sorts. This feature ensures that only an authorized individual has the ability to perform the heist.\r\nIn addition, GreenDispenser has the capability to perform a deep delete after the heist to prevent forensic analysis and\r\nIR investigations.\r\nTechnical Details\r\nAn initial inspection of the IAT (Import Address Table) in GreenDispenser shows usage of various XFS APIs through\r\nmsxfs.dll in order to interface with the XFS middleware.\r\nhttps://www.proofpoint.com/us/threat-insight/post/Meet-GreenDispenser\r\nPage 1 of 6\n\nFigure 1: IAT shows usage of XFS APIs\r\nOnce run, GreenDispenser performs a check to verify that the current year is 2015 and the current month is earlier than\r\nSeptember. If these conditions are not met, then GreenDispenser simply quits.\r\nFigure 2: Time bound checks\r\nIf the checks pass, GreenDispenser proceeds to create a mutex called “dispenserprgm” to ensure that only a single\r\ninstance of GreenDispenser is running. It then creates a second desktop environment on the ATM called “dDispW” and\r\ncreates a window in the second desktop called “Dispenser”. This window is created using the window style\r\n“WS_EX_TOPMOST“ to ensure that it overlays all other windows on the ATM screen. GreenDispenser may initially\r\ndisplay a message on the screen indicating that the ATM is out of service as shown in Figure 3. It is interesting to note\r\nthat while this instance displays a message in English (or somewhat close to it), other instances displayed an out order\r\nmessage in Spanish with the string “Temporalmente fuera de servicio ”.\r\nFigure 3: Fake out of service message\r\nhttps://www.proofpoint.com/us/threat-insight/post/Meet-GreenDispenser\r\nPage 2 of 6\n\nGreenDispenser then initiates a session to the XFS manager using WFSStartUp and attempts to query the registry\r\nlocation “HKEY_USERS\\ .DEFAULT\\XFS\\LOGICAL_SERVICES\\class=PIN” to obtain the peripheral name for the\r\nPinpad [5]. If not found it defaults to “Pinpad1” which is the pinpad peripheral name on specific ATMs. GreenDispenser\r\nthen waits in an infinite loop for input from the pinpad. It accepts input from the pinpad using a call to WFSExecute\r\nwith the command set to “WFS_CMD_PIN_GET_DATA” as shown in Figure 4.\r\nFigure 4: API call to accept input from pinpad\r\nIf the right static Pin is provided it then displays the screen shown in Figure 5 prompting for a second Pin.\r\nFigure 5: Screen after entering hardcoded static PIN\r\nThe contents of the QR code are randomly seeded and subjected to encryption using the Microsoft CryptoAPI followed\r\nby Base64 encoding, but we have chosen to forgo further discussion of details in order to avoid potential misuse of\r\ninfected ATMs. We suspect that the attacker has an application that can run on a mobile phone with functionality to scan\r\nthe barcode and derive the second PIN. Once the attacker enters the correct secondary PIN into the pinpad a second\r\nmenu is shown (Figure 6), which allows access to the cash dispenser.\r\nhttps://www.proofpoint.com/us/threat-insight/post/Meet-GreenDispenser\r\nPage 3 of 6\n\nFigure 6: Screen after entering dynamically generated PIN\r\nIf the dispense cash option is selected, GreenDispenser attempts to query the registry location “HKEY_USERS\\\r\n.DEFAULT\\XFS\\LOGICAL_SERVICES\\class=CDM” to find the peripheral name for the cash dispenser. If not found,\r\nit defaults to “CurrencyDispener1” which is the cash dispenser peripheral name on specific ATMs. It then makes a call\r\nto WFSExecute with the command set to “WFS_CMD_CDM_DISPENSE” and a timeout of 12000 to dispense cash.\r\nhttps://www.proofpoint.com/us/threat-insight/post/Meet-GreenDispenser\r\nPage 4 of 6\n\nFigure 7: API call to dispense cash\r\nGreenDispenser also has the ability to delete itself, as may be seen in the options offered in the malware interaction\r\nmenu. Typically when a file is deleted, the operating system removes the reference pointer to the data but not the data\r\nitself. This allows files to be recovered using disk editors and forensics tools later in time. To prevent this forensics\r\nanalysis GreenDispenser performs a deep delete using sdelete to remove itself from the ATM. The sdelete executable is\r\nimbedded within GreenDispenser, which is written to disk as “del.exe” and run with the batch script shown in Figure 7.\r\nAgain, such an action would presumably exist to deter forensic and IR investigations after the heist.\r\nFigure 8: Batch script using sdelete to perform a deep delete\r\nConclusion\r\nATM malware continues to evolve, with the addition of stealthier features and the ability to target ATM hardware from\r\nmultiple vendors. While current attacks have been limited to certain geographical regions such as Mexico, it is only a\r\nmatter a time before these techniques are abused across the globe. We believe we are seeing the dawn of a new criminal\r\nindustry targeting ATMs with only more to come. In order to stay ahead of attackers financial entities should reexamine\r\nexisting legacy security layers and consider deploying modern security measures to thwart these threats.\r\nReferences\r\n[1] https://www.fireeye.com/blog/threat-research/2015/09/suceful_next_genera.html\r\n[2] http://www.symantec.com/connect/blogs/texting-atms-cash-shows-cybercriminals-increasing-sophistication\r\n[3] https://securelist.com/blog/research/66988/tyupkin-manipulating-atm-machines-with-malware/\r\n[4] https://en.wikipedia.org/wiki/CEN/XFS\r\n[5]\r\nhttps://doc.axxonsoft.com/confluence/display/atm70en/Configuring+the+connection+to+the+card+reader+service+provider\r\nIOCs\r\nhttps://www.proofpoint.com/us/threat-insight/post/Meet-GreenDispenser\r\nPage 5 of 6\n\nHashes(SHA256)\r\n20a1490b666f8c75c47b682cf10a48b7b0278068cb260b14d8d0584ee6c006a5\r\n50db1f5e9692f217f356a592e413e6c9cb31105a94efc70a5ca1c2c73d95d572\r\n7544e7a798b791cb36caaa1860974f33d30bc4659ceab3063d1ab4fd71c8c7e0\r\n77850f738ba42fd9da299b2282314709ad8dc93623b318b116bfc25c5280c541\r\nb7e61f65e147885ec1fe6a787b62d9ee82d1f34f1c9ba8068d3570adca87c54f\r\nMutex:\r\ndispenserprgm\r\nCreated desktop name:\r\ndDispW\r\nCreated window name:\r\nDispenser\r\nRegistry queries:\r\nHKEY_USERS\\ .DEFAULT\\XFS\\LOGICAL_SERVICES\\class=PIN\r\nHKEY_USERS\\ .DEFAULT\\XFS\\LOGICAL_SERVICES\\class=CDM\r\nSource: https://www.proofpoint.com/us/threat-insight/post/Meet-GreenDispenser\r\nhttps://www.proofpoint.com/us/threat-insight/post/Meet-GreenDispenser\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/Meet-GreenDispenser"
	],
	"report_names": [
		"Meet-GreenDispenser"
	],
	"threat_actors": [],
	"ts_created_at": 1775434213,
	"ts_updated_at": 1775791313,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/634be62fe2d04e87745513d7788f86bb1b9f6372.pdf",
		"text": "https://archive.orkl.eu/634be62fe2d04e87745513d7788f86bb1b9f6372.txt",
		"img": "https://archive.orkl.eu/634be62fe2d04e87745513d7788f86bb1b9f6372.jpg"
	}
}