Alice in the atm malware land

Alice is the name of the latest ATM malware family that has been discovered by researchers at TrendMicro. Database high availability Alice ATM malware is a bit different than other ATM malware pieces – it is not controlled via the numeric pad of ATMs and it doesn’t have infostealer features. Database utility Alice’s only purpose is to cash out ATMs.


The malware was discovered in November this year. Data recovery zagreb Researchers collected a list of hashes and the files corresponding to the hashes were obtained from VirusTotal for detailed analysis. Database javascript Researchers first thought that one of the binaries belonged to a new variant of the Padpin ATM malware. Database administrator jobs One reverse analysis later, and it was estimated that the binary beloned to a brand new family.

Besides its name, there are other curious details about Alice. Data recovery for iphone As explained by researchers, the malware is very feature-lean and only includes the basic functionality needed to empty the money safe of the targeted ATM. Data recovery victoria bc Alice is designed to connect to the CurrencyDispenser1 peripheral but it is not designed to use the ATM’s PIN pad. 10k database A logical explanation is that cybercriminals want to physically open the ATM to infect it via USB or CD-ROM. Data recovery software mac Once this is down, a keyboard would be connected to the ATM’s mainboard to operate the malware through it.

The existence of a PIN code prior to money dispensing suggests that Alice is used only for in-person attacks. Cost of data recovery from hard drive Neither does Alice have an elaborate install or uninstall mechanism—it works by merely running the executable in the appropriate environment.

On the other hand, Alice shares some similarities with other ATM malware families, such as the user authentication. S cerevisiae database Money mules are given the actual PIN that is needed for the operation. Snl database The first command they enter drops the cleanup script, while entering the machine-specific PIN code lets them access the operator panel for money dispensing, TrendMicro explained.

This access code changes between samples to prevent mules from sharing the code and bypassing the criminal gang, to keep track of individual money mules, or both. Database 4500 In our samples the passcode is only 4 digits long, but this can be easily changed. Data recovery miami fl Attempts to brute-force the passcode will eventually cause the malware to terminate itself once the PIN input limit is reached.

Researchers also believe that Alice was designed to run on any vendor’s hardware configured to use the Microsoft Extended Financial Services middleware known as XFS. Data recovery sd card Alice only searches for an XFS environment. Uottawa database In addition, the malware uses only commercially available packed like VMProtect. Top 10 data recovery software free download TrendMicro found GreenDispenser packed with Themida, and Ploutus packed with Phoenix Protector, among others. Database query optimization The use of packing makes it difficult for analysis and reverse engineering to be carried out. Qmobile data recovery Malware has been relying on these methods forever, with most modern malware using custom-built packers.

It is indeed curious that ATM malware needed so much time to embrace packing and obfuscation. No 1 data recovery software One reason may be that ATM malware was more of a niche category operated by just a few criminal groups. Data recovery iphone free Unfortunately, ATM malware is becoming more mainstream, meaning that its authors will continue to develop their work.

banner