Security Blog

Next Generation ATM Malware

ATM malware has been around for many years and has done some serious damage to cardholders.

But, things may be about to change for the worse. The new fragment of ATM malware “Suceful” (the name from a typo by its author) time stamped on 25th of August 2015 is believed to shape up in to an ATM malware with many advantages for an attacker that haven’t been reported before.

Suceful was discovered by Fire Eye lab and was recently uploaded to Virus Total from Russia. It is based on the interaction with XFS manager, a middleware that is a part of the WOSA/XFS standard used by major ATM vendors, such as NCR and Diebold. As such it is very likely to create a major upset.

Every ATM vendor has its own deployment of XFS manager to handle security and vendor-specific action, but they also provide support for default XFS manager standards that facilitate foes to create their own ATM interface and malfunction the actual one.

Suceful is said to, at this point, be under development but has the potential to:

  • Read chip and Track Data.
  • Control the ATM.
  • On Demand Retention and ejection of Physical card.
  • Capable of supressing ATM sensor.

Suceful is unique. It is vendor independent, which makes it the first vendor independent malware. And, it not just designed to steal the card data but also to steal the card physically, which will raise new concerns for ATM vendors and banks.

  • 24 Solutions AB
  • Smedjegatan 2C
  • SE-13154 Nacka, Sweden
  • +46 (0)8 535 24 100