Alice Malware Targets ATM Machines

Security researchers have uncovered a new ATM virus called Alice malware that is tailored made to compromise ATM machines. Continue reading our guide to learn more about it and learn how to remove existing threats and protect yourself from related threats in the future.

The Alice ATM Malware Is Very Dangerous

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Security experts from Trend Micro discovered a new malware family called Alice which is described by them as the most stripped down ATM malware family we have ever encountered. Its goal is to empty the safe of the infected machines and unlike other threats it cannot be controlled via the numeric pad and it does not have any information stealing capabilities.

The first strains were identified in November 2016 as a result of a joint research program with Europol EC3. The security experts collected a list of hashes that led to the discovery of the virus. The first malware that have been developed specifically for ATM’s date back to 2007. Over the past years there have been only 8 unique malware families which is very low in comparison to other products.

The first malware that have been developed specifically for ATM’s date back to 2007. Over the past years there have been only 8 unique malware families which is very low in comparison to other products.

The Alice family of viruses is a newly discovered threat that has been carefully studied. According to the various malware submissions the virus has been active since at least October 2014. The discovered samples were packed using a commercial packet called VMProtect. The criminal developers behind the malware have a debugging check in the software. This means that if the program is run inside a debugger it will display an error message and terminate its operation. Before the the malicious code is executed Alice performs a detailed environment check which makes sure that it is run on an actual ATM. This is done by checking for these two registry values:

  • HKLM\SOFTWARE\XFS
  • HKLM\SOFTWARE\XFS\TRCERR

If these registry values are not found the malware assumes that the infected machine is not an ATM and terminates itself. In addition the virus checks for the availability of the following DLL files:

  • MSXFS.dll
  • XFS_CONF.dll
  • XFS_SUPP.dll

If the environment check is completed successfully the malware displays an authorization window that requires a PIN code.

Alice Malware Execution

Once Alice is initialized onto the host system it follows a predefined pattern execution.

The malware creates an empty 5 MB+ file called xfs_supp.sys and an error log file TRCERR.LOG in the root directory. The first file is filled with zeros while the log file is used to write any errors that occur during execution. This includes all XFS API calls and their corresponding messages.

Alice connects itself to the CurrencyDispenser1 peripheral device which is the default name of any dispenser device sed by the XFS environment. It is important to note that Alice has only one goal – to empty the money containers. This means that the following statements are true:

  • The virus does not gather any information like account credentials or PIN inputs
  • Alice doesn’t terminate itself if it fails to connect to the cash dispenser. It remely logs the error and remains on the system
  • Further modifications of Alice can lead to devastating effects

The researchers have managed to uncover a few of the pin commands that can lead to various effects. Here are the possibilities:

  • PIN input of 1010100 – Decrypts and drops file sd.bat in current directory. This batch file is used to cleanup/uninstall Alice.
  • PIN input of 0 – Exits the program and runs sd.bat. Also deletes xfs_supp.sys.
  • PIN input of specific 4-digit PIN based on ATM’s terminal ID – Opens the “operator panel”.

Opening up the “operator panel” reveals the loaded cassettes that hold the money. The following values are displayed: ID, Bills count, Bill value, Currency, Result .

Alice is usually found on the infected system as the taskmgr.exe process.

Alice Malware Infection Method

There are multiple ways of getting infected with the Alice ATM malware. We have already revealed that all it does is to empty the machine of the money. From this point of view we can assume that there are multiple ways of installing the virus onto a target machine.

The primary method is by physical access. This infection method involves the physical opening of the ATM and infecting the host via the built-in CD-ROM or USB drives. A keyboard can be added to access the motherboard and operate the virus.

The second possibility is to use a remote desktop connection and institute the virus over the network.

For more detailed information on the virus you can read Trend Micro’s detailed blog post.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts