The new malware sample was originally observed on Aug. 5 million heist in Taiwan, where a group of foreigners stole money from cash machines using a similar method. The malware fwloadpm.exe a limit of 40 bank notes per withdrawal consistently, which is the maximum allowed by the ATM vendor. Moreover, the malware can control the Card Reader device to Read or Eject the card on demand, the same as SUCEFUL, and can disable the local network interface, similar to the Padpin family.
What’s more, RIPPER is being installed on the ATM through the insertion of a specially manufactured ATM card with an EMV chip that serves as the authentication mechanism. Analysis of the malware has revealed that it can maintain persistence either as a standalone service or masquerading as a legitimate ATM process. ATM software running on the ATM. RIPPER kills the processes running in memory for three targeted ATM Vendors, then it replaces the legitimate executables with itself. When RIPPER is executed without any parameters, it performs a series of actions, such as connecting with the Cash Dispenser, Card Reader, and the Pinpad. The malware can identify the current devices by enumerating them and can make sure these devices are available by querying their status.
If they are not available, the malware exits. RIPPER was also designed to obtain Dispenser information such as the Cash Unit details to determine the number and type of available notes. When a card with a malicious EMV chip is detected, RIPPER starts a timer to allow a thief to control the machine. The attackers can interact with RIPPER via the Pinpad and have multiple options at their disposal, including methods for dispensing currency. Directly from the ATM machine, the thieves can clear logs, shut down the ATM local network interface to prevent it from communicating with the bank, reboot the system, and eject the malicious ATM card. Through open sources, we’ve identified a family of malware that may have been used in recent ATM robberies and which bears some similarities to known families of malware.