{
	"id": "05b01b9b-890e-413b-a676-ac53d0f40e66",
	"created_at": "2026-04-06T00:08:39.201801Z",
	"updated_at": "2026-04-10T03:21:35.808682Z",
	"deleted_at": null,
	"sha1_hash": "ea95a0c53bbba5482dc96043e973ac9100b343c4",
	"title": "Tyupkin: manipulating ATM machines with malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 355650,
	"plain_text": "Tyupkin: manipulating ATM machines with malware\r\nBy GReAT\r\nPublished: 2014-10-07 · Archived: 2026-04-05 21:07:30 UTC\r\nEarlier this year, at the request of a financial institution, Kaspersky Lab’s Global Research and Analysis Team\r\nperformed a forensics investigation into a cyber-criminal attack targeting multiple ATMs in Eastern Europe.\r\nDuring the course of this investigation, we discovered a piece of malware that allowed attackers to empty the\r\nATM cash cassettes via direct manipulation.\r\nAt the time of the investigation, the malware was active on more than 50 ATMs at banking institutions in Eastern\r\nEurope.  Based on submissions to VirusTotal, we believe that the malware has spread to several other countries,\r\nincluding the U.S., India and China.\r\nDue to the nature of the devices where this malware is run, we do not have KSN data to determine the extent of\r\nthe infections. However, based on statistics culled from VirusTotal, we have seen malware submissions from the\r\nfollowing countries:\r\nhttps://securelist.com/tyupkin-manipulating-atm-machines-with-malware/66988/\r\nPage 1 of 6\n\nThis new malware, detected by Kaspersky Lab as Backdoor.MSIL.Tyupkin, affects ATMs from a major ATM\r\nmanufacturer running Microsoft Windows 32-bit.\r\nThe malware uses several sneaky techniques to avoid detection. First of all, it is only active at a specific time at\r\nnight.  It also uses a key based on a random seed for every session. Without this key, nobody can interact with the\r\ninfected ATM.\r\nWhen the key is entered correctly, the malware displays information on how much money is available in every\r\ncassette and allows an attacker with physical access to the ATM to withdraw 40 notes from the selected cassette.\r\nhttps://securelist.com/tyupkin-manipulating-atm-machines-with-malware/66988/\r\nPage 2 of 6\n\nMost of the analyzed samples were compiled around March 2014. However this malware has evolved over time.\r\nIn its last variant (version .d) the malware implements anti debug and anti emulation techniques, and also disables\r\nMcAfee Solidcore from the infected system.\r\nAnalysis\r\nAccording to footage from security cameras at the location of the infected ATMs, the attackers were able to\r\nmanipulate the device and install the malware via a bootable CD.\r\nThe attackers copied the following files into the ATM:\r\nC:\\Windows\\system32\\ulssm.exe\r\n%ALLUSERSPROFILE%\\Start Menu\\Programs\\Startup\\AptraDebug.lnk\r\nAfter some checks of the environment, the malware removes the .lnk file and create a key in the registry:\r\n[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run]\r\n“AptraDebug” = “C:\\Windows\\system32\\ulssm.exe”\r\nThe malware is then able to interact with ATM through the standard library MSXFS.dll – Extension for Financial\r\nServices (XFS).\r\nThe malware runs in an infinite loop waiting for user input. In order to make it more difficult to detect, Tyupkin\r\naccepts (by default) commands only on Sunday and Monday nights.\r\nIt accepts the following commands:\r\nXXXXXX – Shows the main window.\r\nXXXXXX – Self deletes with a batch file.\r\nXXXXXX – Increases the malware activity period.\r\nXXXXXX – Hides the main window.\r\nAfter every command the operator must press “Enter” on the ATM’s pin pad.\r\nTyupkin also uses session keys to prevent interaction with random users. After entering the “Show the main\r\nwindow” command, the malware shows the message “ENTER SESSION KEY TO PROCEED!” using a random\r\nseed for each session.\r\nThe malicious operator must know the algorithm to generate a session key based on the seed shown. Only when\r\nthis key is successfully entered that it is possible to interact with the infected ATM.\r\nAfter that, the malware shows the following message:\r\nCASH OPERATION PERMITTED.\r\nTO START DISPENSE OPERATION –\r\nENTER CASSETTE NUMBER AND PRESS ENTER.\r\nWhen the operator chooses the cassette number, the ATM dispenses 40 banknotes from it.\r\nhttps://securelist.com/tyupkin-manipulating-atm-machines-with-malware/66988/\r\nPage 3 of 6\n\nWhen the session key entered is incorrect, the malware disables the local network and shows the message:\r\nDISABLING LOCAL AREA NETWORK…\r\nPLEASE WAIT…\r\nIt is not clear why the malware disables the local network.  This is likely done to to delay or disrupt remote\r\ninvestigations.\r\nhttps://securelist.com/tyupkin-manipulating-atm-machines-with-malware/66988/\r\nPage 4 of 6\n\nVideo with a demonstration in a real ATM is available:\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nConclusion\r\nOver the last few years, we have observed a major uptick in ATM attacks using skimming devices and malicious\r\nsoftware.  Following major reports of skimmers hijacking financial data at banks around the world, we have seen\r\na global law enforcement crackdown that led to arrests and prosecution of cyber-criminals.\r\nThe successful use of skimmers to secretly swipe credit and debit card data when customers slip their cards into\r\nATMs at banks or gas stations is well known and has led to a greater awareness for the public to be on the lookout\r\n– and take precautions – when using public ATMs.\r\nNow we are seeing the natural evolution of this threat with cyber-criminals moving up the chain and targeting\r\nfinancial institutions directly.   This is done by infecting ATMs directly or direct APT-style attacks against the\r\nbank.  The Tyupkin malware is one such example of attackers moving up the chain and finding weaknesses in the\r\nATM infrastructure.\r\nThe fact that many ATMs run on operating systems with known security weaknesses and the absence of security\r\nsolutions is another problem that needs to be addressed urgently.\r\nOur recommendations for the banks is to review the physical security of their ATMs and consider investing in\r\nquality security solutions.\r\nMitigation recommendations\r\nWe recommend that financial institutions and businesses that operate ATMs on premises consider the following\r\nmitigation guidance:\r\nhttps://securelist.com/tyupkin-manipulating-atm-machines-with-malware/66988/\r\nPage 5 of 6\n\nReview the physical security of their ATMs and consider investing in quality security solutions.\r\nChange default upper pool lock and keys in all ATMs. Avoid using default master keys provided by the\r\nmanufacturer.\r\nInstall and make sure that ATM security alarm works. It was observed that the cyber-criminals behind\r\nTyupkin infected only those ATMs that had no security alarm installed.\r\nFor the instructions on how to verify that your ATMs are not currently infected in one step, please contact\r\nus at intelreports@kaspersky.com. For the full scan of the ATM’s system and deleting the backdoor, please\r\nuse free Kaspersky Virus Removal Tool (you may download it here).\r\nGeneral advice for on-premise ATM operators\r\nEnsure the ATM is in an open, well-lit environment that is monitored by visible security cameras. The ATM\r\nshould be securely fixed to the floor with an anti-lasso device that will deter criminals.\r\nRegularly check the ATM for signs of attached third-party devices (skimmers).\r\nBe on the lookout for social engineering attacks by criminals who may be masquerading as inspectors or\r\nsecurity alarms, security cameras or other devices on premises.\r\nTreat intruder alarms seriously and act accordingly by notifying law enforcement authorities of any\r\npotential breach.\r\nConsider filling the ATM with just enough cash for a single day of activity.\r\nFor more advices both for merchants and users please visit http://www.link.co.uk/AboutLINK/site-owners/Pages/Security-for-ATMs.aspx\r\nSource: https://securelist.com/tyupkin-manipulating-atm-machines-with-malware/66988/\r\nhttps://securelist.com/tyupkin-manipulating-atm-machines-with-malware/66988/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://securelist.com/tyupkin-manipulating-atm-machines-with-malware/66988/"
	],
	"report_names": [
		"66988"
	],
	"threat_actors": [],
	"ts_created_at": 1775434119,
	"ts_updated_at": 1775791295,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ea95a0c53bbba5482dc96043e973ac9100b343c4.pdf",
		"text": "https://archive.orkl.eu/ea95a0c53bbba5482dc96043e973ac9100b343c4.txt",
		"img": "https://archive.orkl.eu/ea95a0c53bbba5482dc96043e973ac9100b343c4.jpg"
	}
}