Fill Out This Form To Receive Your FREE Report


Sign Me Up For
The Free Assessment


Suspected sophisticated malware possibly tied to recent Thailand ATM heist

There is a malware called Ripper that allows attackers to withdraw money from ATM’s using specially made ATM cards.

Security researchers have stumbled upon a very sophisticated malware program. It has been said that it had been used recently by an gang of hackers to steal money amounting to approximately $350,000 from ATM’s in Thailand.

Dubbed the Ripper, a sample was uploaded to the VirusTotal database from an IP address from Thailand last week. This was shortly before local media have reported its presence that hackers used the malware to steal an astonishing 12.29 million Baht from 21 ATM’s.

State owned Government Savings Bank had to temporarily shutdown all of its ATM’s from a specific vendor in order for them to check for malware.

Based on the analysis provided by FireEye, the sample they have received from Thailand is the most probable culprit for the Thailand heist.

It has targetted a specific ATM brand as well as two others. IOt has been said that it can disable the ATM’s local network interface which has happened during the recent incidents which they have compiled on July 10, a month before it has been publicly disclosed.

The attackers waits for specially programmed chips once it is installed before it activates. From there, a mechanism used for authentication kicks in, which has been used in the past to issue commands to dispense cash up to 40 bills or bank notes from the cash dispensers.

Other malware features from SUCEFUL, GreenDispenser and Padpin (Tyupkin) are found from the Ripper malware according to researchers.

Several deployment schemes are possibly done to implement the heist. One of whish is by an insider, who is probably a technician that services ATM’s. another possibility is thru the CD-ROM or USB ports that are available once the covers are opened using special service keys. Another method can only be used if the ATM is in an unsecured place.

Written by

No Comments Yet.

Leave a Reply


[contact-form-7 id="5555" title="Mobile Form"]