A Thai woman withdrawing money from the ATM. Pic: Asian Development Bank / Flickr

Thailand: $350k ATM heist could be connected to new malware Ripper

LAST week, a group of Eastern European cyber thieves hacked automated teller machines (ATM) in Thailand, getting away with more than US$350,000 (over THB12 million). Security researchers suspect that a new, sophisticated malware program called Ripper may have been used to pull off the heist.

According to a report by the International Data Group (IDG), a sample of Ripper was uploaded to VirusTotal, an online virus and malware scanner, from a Thai IP address just before local reports of the hack went live.

A total of 21 ATMs across the country were hacked, forcing the Government Savings Bank to shut all ATMs made by one vendor, NCR, down. According to the Asian Correspondent, officials reassured customers that the money was stolen from the bank, and not customers’ accounts.

SEE ALSO: Apple issues fix after hack attempt on UAE activist Ahmed Mansoor

FireEye, a cyber security company based in California, found that Ripper targeted three of the main ATM vendors worldwide, and can interact with a specific ATM card with a Europay, Mastercard and Visa (EMV) chip.

Once in place, the malware works by killing and replacing the ATM software with itself, and then examining the “contents of directories” of the targeted ATM vendors without raising suspicion. From there, the thieves can insert their Ripper-specific cards and interact with the ATM to carry out a number of actions.

These include disabling the local network interface to stop the system from communicating with the bank, and rebooting it to avoid prompts for confirmation. Thieves can also issue commands for the machine to dispense up to 40 banknotes at a time.

“This malware family can be used to compromise multiple vendor platforms and leverages uncommon technology to access physical devices,” writes FireEye. “In addition to requiring technical sophistication, attacks such as that affecting the ATMs in Thailand require coordination of both the virtual and the physical.”

Ripper has some features that are similar to past ATM malware programs such as Padpin (Tyupkin), SUCEFUL, and GreenDispenser, but this is the first time security researchers have seen a malware that targets three of the biggest ATM vendors globally.