Alice is the name of the latest ATM malware family that has been discovered by researchers at TrendMicro. Alice ATM malware is a bit different than other ATM malware pieces – it is not controlled via the numeric pad of ATMs and it doesn’t have infostealer features. Alice’s only purpose is to cash out ATMs.
The malware was discovered in November this year. Researchers collected a list of hashes and the files corresponding to the hashes were obtained from VirusTotal for detailed analysis. Researchers first thought that one of the binaries belonged to a new variant of the Padpin ATM malware. One reverse analysis later, and it was estimated that the binary beloned to a brand new family.
Alice ATM Malware: Technical Details
First of all, why Alice? The name was derived from the version information embedded in the malicious binary.
Besides its name, there are other curious details about Alice. As explained by researchers, the malware is very feature-lean and only includes the basic functionality needed to empty the money safe of the targeted ATM. Alice is designed to connect to the CurrencyDispenser1 peripheral but it is not designed to use the ATM’s PIN pad. A logical explanation is that cybercriminals want to physically open the ATM to infect it via USB or CD-ROM. Once this is down, a keyboard would be connected to the ATM’s mainboard to operate the malware through it.
Another possible scenario is opening a remote desktop to control the menu via the network, but TrendMicro never saw Alice doing this.
The existence of a PIN code prior to money dispensing suggests that Alice is used only for in-person attacks. Neither does Alice have an elaborate install or uninstall mechanism—it works by merely running the executable in the appropriate environment.
On the other hand, Alice shares some similarities with other ATM malware families, such as the user authentication. Money mules are given the actual PIN that is needed for the operation. The first command they enter drops the cleanup script, while entering the machine-specific PIN code lets them access the operator panel for money dispensing, TrendMicro explained.
This access code changes between samples to prevent mules from sharing the code and bypassing the criminal gang, to keep track of individual money mules, or both. In our samples the passcode is only 4 digits long, but this can be easily changed. Attempts to brute-force the passcode will eventually cause the malware to terminate itself once the PIN input limit is reached.
Alice Designed to Run on XFS Environment
Researchers also believe that Alice was designed to run on any vendor’s hardware configured to use the Microsoft Extended Financial Services middleware known as XFS. Alice only searches for an XFS environment. In addition, the malware uses only commercially available packed like VMProtect. TrendMicro found GreenDispenser packed with Themida, and Ploutus packed with Phoenix Protector, among others. The use of packing makes it difficult for analysis and reverse engineering to be carried out. Malware has been relying on these methods forever, with most modern malware using custom-built packers.
It is indeed curious that ATM malware needed so much time to embrace packing and obfuscation. One reason may be that ATM malware was more of a niche category operated by just a few criminal groups. Unfortunately, ATM malware is becoming more mainstream, meaning that its authors will continue to develop their work.