Hackers earn millions with this ATM cashout malware

Ethical hacking specialists from the security firm Kaspersky reported the discovery of a new malware variant used by hackers to infect ATMs and extract money with illicit transactions in Mexico and some South American territories, such as Colombia.

Kaspersky, which provides cybersecurity services and has an advanced research program, reported that, after performing an intensive scan, it identified the mode of operation of the malware, dubbed ATMJaDi. According to the experts of the firm, the virus focuses on a perfectly delimited set of ATMs, suggesting that one or more employees of banking institutions might be involved. 

In their report, ethical hacking experts claim that the malware cannot be controlled via the cashier’s keyboard or touch screen; instead, hackers should remotely send a series of specially designed commands to empty the cashier, a practice known as ‘jackpotting‘.

After completing its installation, the malware, in the form of a Java file, infects the machine and takes control using commands known by the ATM software. Finally, the malware concludes the infection by displaying the phrase “Libertad y Gloria” (Freedom and Glory) on the ATMs screen.

According to the ethical hacking specialists from the International Institute of Cyber Security (IICS), an intriguing detail about this malware is that it does not use standard systems such as XFS, JXFS or CSC, present at most ATMs. Instead, the malware was written in Java language, something rare in such attacks; however, this technique had already been identified in previous jackpotting attacks in Latin America.

This method of attack suggests that threat actors had extensive knowledge of their attack targets before deploying malware to banking networks.

Finally, experts mentioned that the malware code was written in English, although it featured multiple markers and lures written in Russian to try to confuse researchers about the true origin of the attack; “This was obvious due to the misuse of Russian language used by hackers”, says Dmitry Bestuzhev, in charge of the investigation.