How does RIPPER ATM malware use malicious EMV chips?

RIPPER malware has been found responsible for the theft of $378,000 from ATMs in Thailand. Expert Nick Lewis explains how this ATM malware works.

FireEye discovered a new ATM malware sample named "RIPPER," which it says is responsible for the theft of approximately $378,000 from ATMs across Thailand. How does this ATM malware work, and is there anything vendors can do to prevent more instances?

New ATM malware is starting to become a nonevent due to its prevalence, and it is something ATM manufacturers are already combating currently. It is turning into a constant competition between criminals and enterprise security programs. Unfortunately, ATMs are used in relatively insecure locations and have long lifespans, which makes protecting them over time more difficult.

The FireEye report on the RIPPER malware states that it has similar functionality to previous ATM malware, but is able to attack multiple brands of ATMs. Attackers use a specially manufactured ATM Europay, MasterCard and Visa (EMV) card for authentication; the malicious EMV chip is authenticated by the ATM and delivers the RIPPER malware to the system.

FireEye obtained the RIPPER malware from VirusTotal and analyzed it after they identified commonalities between ATM attacks in Thailand. The RIPPER ATM malware can disable network connections to reduce the chance of network-based alarms, delete logs to reduce evidence of the attack, set itself to look like a legitimate program on the endpoint and control cash dispensing.

ATM vendors can prevent ATM malware infections by using whitelisting. It is unclear why ATMs don't use whitelisting on a widespread basis, since the functionality of an ATM is very limited, and enterprises responsible for the machines should aim to prevent unapproved software from running on the ATMs. Whitelisting doesn't block all attacks, and it can be bypassed, but since ATMs don't run Microsoft Word, that specific bypass shouldn't work.

Enterprises with ATMs could also regularly scan the file system for unapproved files and set an alarm or disable all functionality if the logs are tampered with. 

Next Steps

Learn about the self-deleting ATM malware GreenDispenser

Find out the impact of Conficker malware infections of industrial control systems and supervisory control and data acquisition systems

Discover how SWIFT network communications can be made more secure

Dig Deeper on Threats and vulnerabilities