Researchers find malware thought behind $350k Thai ATM raids

ATM Fraud in Thailand

LAST week, a group of Eastern European cyber thieves hacked automated teller machines (ATM) in Thailand, getting away with more than US$350,000 (over THB12 million). Security researchers suspect that a new, sophisticated malware program called Ripper may have been used to pull off the heist.

According to a report by the International Data Group (IDG), a sample of Ripper was uploaded to VirusTotal, an online virus and malware scanner, from a Thai IP address just before local reports of the hack went live.

A total of 21 ATMs across the country were hacked, forcing the Government Savings Bank to shut all ATMs made by one vendor, NCR, down. Bank officials, however, reassured customers that the money was stolen from the bank, and not customers’ accounts.

SEE ALSO: Eastern European hackers swindle millions of Baht from Thai ATMs

FireEye, a cyber security company based in California, found that Ripper targeted three of the main ATM vendors worldwide, and can interact with a specific ATM card with a Europay, Mastercard and Visa (EMV) chip.

Once in place, the malware works by killing and replacing the ATM software with itself, and then examining the “contents of directories” of the targeted ATM vendors without raising suspicion. From there, the thieves can insert their Ripper-specific cards and interact with the ATM to carry out a number of actions.

SEE ALSO: Thailand ranked 5th highest risk for cybersecurity threats in Asia

These include disabling the local network interface to stop the system from communicating with the bank, and rebooting it to avoid prompts for confirmation. Thieves can also issue commands for the machine to dispense up to 40 banknotes at a time.

“This malware family can be used to compromise multiple vendor platforms and leverages uncommon technology to access physical devices,” writes FireEye. “In addition to requiring technical sophistication, attacks such as that affecting the ATMs in Thailand require coordination of both the virtual and the physical.”

Ripper has some features that are similar to past ATM malware programs such as Padpin (Tyupkin), SUCEFUL, and GreenDispenser, but this is the first time security researchers have seen a malware that targets three of the biggest ATM vendors globally.

This story first appeared on Tech Wire Asia