New malware variant that infects NCR ATMs software

According to digital forensics specialists, the hacker group identified as FIN7 has developed a new malicious tool, capable of delivering payloads directly into the memory of the targeted system, as well as including a module that establishes a connection to the remote control software used by NCR Corporation, an ATM manufacturer.

The experts, members of the Mandiant research team, a part of security firm FireEye, dubbed this malware Boostwrite, and mention that some of the samples they have collected from this malware are capable of delivering more than one payload, including the dangerous backdoor known as Carbanak, often associated with the activities of these hackers.

In addition, digital forensics experts mention that Boostwrite delivers a Remote Access Trojan (RAT), identified as RSFSNIFFER, which decrypts payloads using keys sent by hackers since the malware launching. “The malware uses a DLL search hijacking technique to load its own malicious DDL into the memory of the targeted system, allowing it to download the initialization vector and key to decrypt the built-in payloads”, the experts mention.

In the end, when the encryption key and initialization vector have been downloaded, Boostwrite decrypts the payloads and verifies that the process has completed successfully. If so, millions of ATM machines users around the world could be exposed.

FIN7 hacking group (also known as Cobalt or Carbanak) activities were first detected in mid-2015, specifically attacking some banking institutions and point-of-sale terminals for profit using the dangerous backdoor Carbanak.

Although a few months ago an international operation allowed the arrest of some leaders of this group, digital forensics experts from the International Institute of Cyber Security (IICS) mention that FIN7 has managed to consolidate new leadership and even develop new attack variants, including the use of new malware strains, such as Boostwrite. In addition to FireEye, other security firms, such as Kaspersky Labs, claim to have detected multiple hacking campaigns linked to FIN7, which has been employing malware variants such as Carbanak and BabyMetal, so it is highly likely that this group of cybercriminals keep evolving.