Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Backdoor.ATM.Suceful – ATM Malware Like No Other

Name Backdoor.ATM.Suceful
Type ATM Malware, Backdoor
Short Description Suceful is the first ATM malware to target physical debit and credit cards.
Symptoms The victim’s card can be retained.
Distribution Method Backdoor.
Detection tool Download Malware Removal Tool, to See If Your System Has Been Affected By Backdoor.ATM.Suceful

Stealing money online has never been easier. ATM malware, along with other online money theft scams, has been quite popular during the last couple of years. One of the latest ATM ‘viruses’ enables criminals to physically harvest debit and credit cards inserted into automated teller machines, or as they’re known for short – ATMs. The malware is dubbed Suceful and, most likely, has been created on August 25, 2015.

suceful-architechture
ImageSource: FireEye

The malicious piece has been identified by the research team at FireEye. The malevolent threat was detected as Backdoor.ATM.Suceful. If you notice something weird about the Suceful name, there is a simple explanation. Its authors made a spelling mistake.

Backdoor.ATM.Suceful Technical Review

We have already written about the various types which enable cyber criminals to steal money online. PoS malware and ATM malware pieces are one of them. What is interesting about Backdoor.ATM.Suceful is it incorporates features never seen in ATM threats before. The new twist, as pointed out by FireEye, is directly targeting the cardholders. Even though Suceful is most likely still in development, its characteristics make it a fearful one.

The malware is smartly designed. It permits the authors to test if it operates properly. When the word Suceful is displayed within the testing interface, it means that the attack was… successful, indeed.
Backdoor.ATM.Suceful shares similarities with other ATM threats that have been detected in previous years, such as Ploutus and PadPin. What is common with the three of them is they interact with a middleware called XFS Manager. XFS Manager is a part of the WOSA/XFS[3] Standard used by major vendors.

Suceful may have several malicious capabilities in Debold and NCR ATMs:

  • Reading all credit/debit card track data.
  • Reading data from the chip of the card.
  • Malware control via ATM PIN pad.
  • Retention or ejection of the card on demand – this feature could be used to steal physical cards.
  • Suppressing ATM sensors to avoid detection.
  • XFS Manager.

Backdoor.ATM.Suceful Attack Explained

Once the distribution is initiated and defined as successful, Suceful will establish a connection with the XFS manager. Then, a session with the peripheral devices will be started through the Service Providers and XFS manager. Here, the first parameter is the Logical Device Name.

Once a session has been started, the APIs WFSExecute or WFSAsyncExecute can be applied to request certain operations to the peripheral devices. Here, the second parameter is the command to be executed.

As soon as this is done, the malware is ready to read debit card track data and chip, when a card is inserted. The malware can also wait to read it when the card is inserted or pulled through.

The DLL Hooking Feature

FireEye research indicates that DLL Hooking is also used. Even though the technique is not innovative, the reason it is being applied here is quite intriguing. Backdoor.ATM.Suceful can control and monitor all the commands given to the peripheral devices.

As explained by the FireEye research team, controlling and monitoring is done by changing the first 6 bytes of the API Entry point with a push , ret instruction to redirect execution.

Backdoor.ATM.Suceful Attack: the Conclusion

Since Suceful is the very first multi-vendor ATM malware aiming at cardholder, it is not easy to presume what might happen. Furthermore, there is no way to determine whether a card is retained because of the malware. Researchers’ advice is to have the contact number of your bank and call it, while keeping an eye on the ATM. Backdoor.ATM.Suceful is not only created to steal the tracks of the card but also to steal the card itself. This is what makes Suceful a unique piece of ATM malware.

How Can I Protect My Banking Information?

Read More about Online Money Theft in 2015

Banking malware is one of the biggest concerns in today’s cyber crime. US Intelligence research indicates that more than $1 billion alone were stolen in 2008 in ATM skimming. Cyber crime, as a total, has cost the world economy at least $400 billion. How can users protect their personal information? Even though it is quite difficult to protect one’s debit and credit card, users can protect their personal information. Having a strong anti-malware software running in real time and sustaining healthy surfing habits are the best tips in online security today.

donload_now_250
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.