Researchers at Proofpoint have discovered a new breed of ATM malware dubbed GreenDispenser, which allows infected machines to be drained of cash.

When installed, GreenDispenser may display an ‘out of service’ message on the ATM, but attackers who enter the correct pin codes can then empty the ATM’s cash vault and erase GreenDispenser using a deep delete process, leaving little if any trace of how the ATM was robbed.

Proofpoint noted that initial malware installation would likely require physical access to the ATM – raising questions of compromised physical security or personnel. GreenDispenser also had the ability to target ATM hardware from multiple vendors using the XFS standard, said the analysts, with attackers probably using an application that could run on a mobile phone to carry out the attack.

The malware strains that Proofpoint inspected were coded to run only if the year was 2015 and the month was earlier than September, suggesting that GreenDispenser was initially employed in a limited operation and designed to deactivate itself to avoid detection. Investigators picked up attacks taking place in Mexico, but said the techniques used were likely to go global.

Kevin Epstein, vice president of threat operations for Proofpoint, explained: “ATM malware such as GreenDispenser is particularly alarming because it allows cyber criminals to attack financial institutions directly, without the extra steps required to capture credit and debit card information from consumers – and with correspondingly less traceability. In order to stay ahead of attackers, financial entities should re-examine existing legacy security layers and consider deploying modern security measures to thwart these threats.”

Share Story: