A new kind of malware named SUCEFUL capable of stealing information from ATM cards and capable of retaining them in the ATM machines has been detected by FireEye Labs. The malware has been uploaded on VirusTotal and the researchers at FireEyes Labs traced it as Backdoor.ATM.Suceful.
It seems that the name of the virus is misspelt by the authors of the malware who might have wanted to name it ‘Successful”. The detected malware’s timestamp puts it creation date as 25th August 2015 and it is quite possible that the malware could still be in its development phase.
The features of the malware, as reported by the researchers are pretty shocking and unique. Some of these features are quite advanced and have never been detected earlier in any other similar applications. There have been malwares such as Ploutus[1] and PadPin[2] were very successful in stealing information from ATM cards back in the year 2013 and 2014 and several ATM users had their money stolen from their bank accounts in Russia, Mexico and several other countries. However, none of these can beat what Suceful is capable of doing.
Suceful is capable of stealing information from the magnetic strips of debit or credit cards, data stored on the chip of the cards and tracking the pin of the card from the ATM Pin pad. However, this malware transcends all these features and is capable of retaining the card in ATM machines which can then be ejected on the basis of the instructions from those who have installed the malware. This allows them to steal the physical card and then use it later. The malware can even disable the alarms at the ATM centers and evade the sensors installed at the ATM from detecting them.
Suceful interacts with XFS Manager which is the standard middleware used by most of the ATM vendors. Since the malware is able to interact with the XFS Manager just like an ATM application and is then able to gain access to the ATM system and its components through this middleware. Since XFS Manager is free of any particular vendor, the malware is able to infect any ATM machine irrespective of their manufacturer. The malware is designed to specifically attack NCR and Diebold ATMs, but since the middleware is independent of any vendor, the malware can easily affect these machines.
(Image source: FireEye.com and pinoytutorial .com)
Even though several ATM vendors use their own proprietary middleware, they also support XFS Manager by default and it is this feature that Suceful is exploiting. The capabilities of a malware like Sucfful is are a matter of concern. Even in the past malwares have been able to steal sensitive data from debit and credit cards which led to a large number of people losing their money. Suceful not just steals the data, it can even steal the cards by retaining them in the machine.
It is advisable for the cardholders that if they face a situation where their card is retained by the machine, they must immediately call the customer support of their respective banks and get their card blocked before leaving the ATM center.