ATM / POS Fraud , Fraud Management & Cybercrime , Incident & Breach Response
New 'Ripper' Malware Fueled Thai ATM Attacks
$350,000 Stolen in 'Jackpotting' Spree; Thai Police Name Russian Suspect(This story has been updated with details from NCR.)
See Also: Gartner Guide for Digital Forensics and Incident Response
Thai police say they have identified all of the suspects allegedly involved in recent malware attacks against 21 ATMs in that nation. The attacks targeted ATMs run by Government Savings Bank, a state-owned Thai bank based in Bangkok.
The gang allegedly used malware to "jackpot" NCR-built machines, making them disgorge cash on demand and allowing the thieves to steal a total of 12 million baht ($350,000) in July and August.
While ATM cash-out malware is nothing new, the strain of attack code used in this attack doesn't appear to have been seen before, according to a technical analysis published by cybersecurity firm FireEye. It said the ATM attack malware - which it nicknamed "Ripper," in reference to it having a project name called "ATMRIPPER" - was uploaded to malware-checking service VirusTotal from a Thai IP address just minutes before the Bangkok Post newspaper first reported the 12 million baht ATM theft, and that it suspects that Ripper was used in the attacks against GSB.
An NCR spokesman confirms to Information Security Media Group that the malware used in the attacks was, indeed, Ripper.
NCR says in an Aug. 29 security alert that attackers hacked into Government Savings Bank's network to initially infect the ATMs with the malware. "This is a network attack. The attackers have breached the financial institution's internal network," NCR's alert says. "Once inside the network, the attackers are spoofing the software distribution server as the means to deliver the malware to ATMs." It said the software distribution tool, built by InfoMindz, was Software Distribution and Management System version 2.3.0.
Police to Issue Arrest Warrants
Police in Thailand announced Aug. 30 that they have identified all of the suspects and plan to issue arrest warrants.
The attacks, according to police, were perpetrated by up to nine individuals - at least six of whom hail from Eastern Europe - who split into three groups and used modified U.K. payment cards to install malware onto 21 ATMs and make them issue cash in lots of 40,000 bahts ($1,160), newspaper Thai Rath reported. Police said that for some of the attacks, one group of attackers may have installed the malware, followed sometime later by another group that made the withdrawals. They said that all of the ATMs were run by Government Savings Bank and that targeted ATMs were located in six provinces - Bangkok, Chumphon, Phetchaburi, Phuket, Prachuap Khiri Khan and Surat Thani.
Police have named Russian national Rustam Shambasov, 29, as one of the suspects involved in the attacks, saying he was seen via CCTV on the island province of Phuket wearing a t-shirt that said "Detroit" and traced via a passport used to rent one of the cars used in the crime spree, Thai News Agency reported. Police have issued a warrant for his arrest, but note that he departed the country Aug. 1 via Bangkok's Suvarnabhumi airport after having flown into Phuket on July 14.
"We also had images of other suspects which were not clear. However, we have now found better quality images of these suspects and we expect arrest warrants for all suspects to be issued by this evening," Gen. Panya Mamen, senior adviser to the Royal Thai Police, said at an Aug. 30 press conference, Thailand's Class Act Media reports. "We will not present the images we have of the additional suspects to the media just yet because it could affect our investigation. However, even if the suspects have since fled the country, we will use international laws to bring them back. We can send the arrest warrants to the country where they take refuge."
Given that at least one of the suspects is Russian, however, it's important to note that Russian authorities never extradite suspects who are Russian citizens.
Patch Teams Target 3,300 ATMs
In the wake of the attacks, Government Savings Bank deactivated more than 3,300 ATMs - nearly half of all of its ATMs - across six of the country's 76 provinces, reported Thailand's The Nation newspaper. NCR, which manufactured the affected ATMs, has developed a patch and assembled 60 teams to install it on affected ATMs, the newspaper reports.
Government Savings Bank's CEO, Chatchai Payuhanaveechai, told The Nation that the ATMs would be disinfected at the rate of 200 per day, that the bank expected to have all ATMs back online in September.
NCR's security alert notes that the company has updated its "Stinger" anti-malware scanning software, which can be used to detect and remove known versions of this malware from ATMs. "Perform the scan regularly," the alert recommends. "NCR may provide a new Stinger if further malware variants are identified. Stinger does not prevent reinfection."
As noted, attackers distributed the malware onto ATMs via the bank's software distribution and management system tool. To help minimize the chance of other successful attacks, NCR's security alert offers multiple recommendations. The principle one is to "modify the ATM firewall to block incoming SDMS port connections from non-SDMS server IP addresses." While this will not block attackers, it says, the change will at least help to disrupt them.
Ripper Teardown
FireEye says the Ripper malware shares much in common with previously seen ATM malware - including Padpin, a.k.a. Tyupkin; Suceful; and GreenDispenser - and that it includes the ability to disable the local network interface as well as securely delete attack-related data, to better foil digital forensic investigations.
In a first, the malware is designed to target ATMs built by three global manufacturers, FireEye senior malware researcher Daniel Regalado says in a blog post, without naming the vendors.
Also unusual is that "Ripper interacts with the ATM by [attackers] inserting a specially manufactured ATM card with an EMV chip that serves as the authentication mechanism," Regalado says. "Although this technique was already used by the Skimmer [a.k.a. Skimer] family, it is an uncommon mechanism."
He added the malware was also programmed to enforce "a limit of 40 bank notes per withdrawal consistently, which is the maximum allowed by the ATM vendor," in apparent reference to NCR.
NCR's security alert also notes that this attack shows criminals refining their tactics. "Network attacks are not new and are not unique to NCR ATMs, however this attack represents a newer variation of the network attack vector," NCR's security alert says. "Analysis of the malware indicates that it also targets other ATM vendors."
The NCR spokesman declined to share the identity of the other two ATM vendors.