{ "id": "998328ef-8dbc-43d1-8435-2c0407226310", "created_at": "2026-04-06T00:22:07.762804Z", "updated_at": "2026-04-10T13:12:58.033472Z", "deleted_at": null, "sha1_hash": "bea003c95d6182d76a8000fda835b92fd37a6e07", "title": "ATM infector", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 225117, "plain_text": "ATM infector\r\nBy GReAT\r\nPublished: 2016-05-17 · Archived: 2026-04-02 11:20:04 UTC\r\nSeven years ago, in 2009, we saw a completely new type of attack on banks. Instead of infecting the computers of\r\nthousands of users worldwide, criminals went directly after the ATM itself – infecting it with malware called\r\nSkimer. Seven years later, our Global Research and Analysis Team together with Penetration Testing Team have\r\nbeen called on for an incident response. They discovered a new, improved, version of Skimer.\r\nVirus style infections\r\nCriminals often obscured their malware with packers to make analysis more difficult for researchers. The\r\ncriminals behind Skimer also did this, using the commercially available packer Themida, which packs both the\r\ninfector and the dropper.\r\nOnce the malware is executed it checks if the file system is FAT32. If it is, it drops the file netmgr.dll in the folder\r\nC:\\Windows\\System32. If it is an NTFS file system, the same file will be placed in the NTFS data stream\r\ncorresponding to the XFS service´s executable file. Placing the file in an NTFS data stream is most likely done to\r\nmake forensic analysis more difficult.\r\nAfter successful installation, the sample patches the XFS executable (SpiService.exe) entry point, in order to add a\r\nLoadLibrary call to the dropped netmgr.dll file. This file is also protected by Themida.\r\nEntry point in SpiService.exe before infection\r\nhttps://securelist.com/atm-infector/74772/\r\nPage 1 of 5\n\nEntry point in SpiService.exe after infection\r\nAfter a successful installation the ATM is rebooted. The malicious library will be loaded into the SpiService.exe\r\nthanks to the new LoadLibrary call, providing it with full access to XFS.\r\nFunctionality\r\nUnlike Tyupkin, where there was a magic code and a specific time frame where the malware was active, Skimer\r\nonly wakes up when a magic card (specific Track 2 data, see IOCs at the bottom of this blogpost) is inserted. It is\r\na smart way to implement access control to the malware’s functionality.\r\nOnce the magic card is inserted, the malware is ready to interact with two different types of cards, each with\r\ndifferent functions:\r\n1. 1 Card type 1 – request commands through the interface\r\n2. 2 Card type 2 – execute the command hardcoded in the Track2\r\nAfter the card is ejected, the user will be presented with a form, asking them to insert the session key in less than\r\n60 seconds. Now the user is authenticated, and the malware will accept 21 different codes for setting its activity.\r\nThese codes should be entered from the pin pad.\r\nBelow is a list of the most important features:\r\n1. 1 Show installation details;\r\n2. 2 Dispense money – 40 notes from the specified cassette;\r\n3. 3 Start collecting the details of inserted cards;\r\n4. 4 Print collected card details;\r\n5. 5 Self delete;\r\n6. 6 Debug mode;\r\n7. 7 Update (the updated malware code is embedded on the card).\r\nDuring its activity, the malware also creates the following files or NTFS streams (depending on the file system\r\ntype). These files are used by the malware at different stages of its activity, such as storing the configuration,\r\nstoring skimmed card data and logging its activity:\r\nC:\\Windows\\Temp\\attrib1 card data collected from network traffic or from the card reader;\r\nhttps://securelist.com/atm-infector/74772/\r\nPage 2 of 5\n\nC:\\Windows\\Temp\\attrib4 logs data from different APIs responsible for the communication with the\r\nkeyboard (effectively logging data such as the pin); C:\\Windows\\Temp\\mk32\r\nC:\\Windows\\Temp:attrib1 same as the homologue file;\r\nC:\\Windows\\Temp:attrib4 same as the homologue file;\r\nC:\\Windows\\Temp:mk32 same as the homologue file;\r\nC:\\Windows\\Temp:opt logs mule´s activity.\r\nhttps://securelist.com/atm-infector/74772/\r\nPage 3 of 5\n\nMain window\r\nThe following video details the scenario on how money mules interact with an infected ATM as described above.\r\nConclusions\r\nDuring our recent Incident Response cases related to the abuse of ATMs, we have identified Tyupkin, Carbanak\r\nand black box attacks. The evolution of Backdoor.Win32.Skimer demonstrates the attacker interest in these\r\nmalware families as ATMs are a very convenient cash-out mechanism for criminals.\r\nOne important detail to note about this case is the hardcoded information in the Track2 – the malware waits for\r\nthis to be inserted into the ATM in order to activate. Banks may be able to proactively look for these card numbers\r\ninside their processing systems, and detect potentially infected ATMs, money mules, or block attempts to activate\r\nthe malware.\r\nWe also recommend regular AV scans, the use of allowlisting technologies, a good device management policy, full\r\ndisk encryption, the protection of ATM BIOS with a password, only allowing HDD booting, and isolating the\r\nATM network from any other internal bank networks.\r\nKaspersky Lab has now identified 49 modifications of this malware, with 37 of these modifications targeting\r\nATMs made by just one manufacturer. The most recent version was discovered at the beginning of May 2016.\r\nAll samples described are detected by Kaspersky Lab as Backdoor.Win32.Skimer. Patched SpiService.exe files are\r\ndetected as Trojan.Win32.Patched.rb\r\nAs this is still an ongoing investigation, we have already shared the full report with different LEAs, CERTs,\r\nfinancial institutions and Kaspersky Lab Threat Intelligence-Service customers. For more information please\r\ncontact intelreports@kaspersky.com\r\nAppendix I. Indicators of Compromise\r\nHashes\r\nhttps://securelist.com/atm-infector/74772/\r\nPage 4 of 5\n\nF19B2E94DDFCC7BCEE9C2065EBEAA66C\r\n3c434d7b73be228dfa4fb3f9367910d3\r\na67d3a0974f0941f1860cb81ebc4c37c\r\nD0431E71EBE8A09F02BB858A0B9B80380\r\n35484d750f13e763eae758a5f243133\r\ne563e3113918a59745e98e2a425b4e81\r\na7441033925c390ddfc360b545750ff4\r\nFilenames\r\nC:\\Windows\\Temp\\attrib1\r\nC:\\Windows\\Temp\\attrib4\r\nC:\\Windows\\Temp\\mk32\r\nC:\\Windows\\Temp:attrib1\r\nC:\\Windows\\Temp:attrib4\r\nC:\\Windows\\Temp:mk32\r\nC:\\Windows\\Temp:opt\r\nC:\\Windows\\System32\\netmgr.dll\r\nTrack 2 data\r\n******446987512*=********************\r\n******548965875*=********************\r\n******487470138*=********************\r\n******487470139*=********************\r\n******000000000*=********************\r\n******602207482*=********************\r\n******518134828*=********************\r\n******650680551*=********************\r\n******466513969*=********************\r\nSource: https://securelist.com/atm-infector/74772/\r\nhttps://securelist.com/atm-infector/74772/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/atm-infector/74772/" ], "report_names": [ "74772" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434927, "ts_updated_at": 1775826778, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bea003c95d6182d76a8000fda835b92fd37a6e07.pdf", "text": "https://archive.orkl.eu/bea003c95d6182d76a8000fda835b92fd37a6e07.txt", "img": "https://archive.orkl.eu/bea003c95d6182d76a8000fda835b92fd37a6e07.jpg" } }