- MACOS MALWARE RUNONLY AVOID DETECTION FIVE SOFTWARE
- MACOS MALWARE RUNONLY AVOID DETECTION FIVE CODE
- MACOS MALWARE RUNONLY AVOID DETECTION FIVE WINDOWS
Typically when a file is deleted, the operating system removes the reference pointer to the data but not the data itself. GreenDispenser also has the ability to delete itself, as may be seen in the options offered in the malware interaction menu. It then makes a call to WFSExecute with the command set to “WFS_CMD_CDM_DISPENSE” and a timeout of 12000 to dispense cash.
If not found, it defaults to “CurrencyDispener1” which is the cash dispenser peripheral name on specific ATMs. DEFAULT\XFS\LOGICAL_SERVICES\class=CDM” to find the peripheral name for the cash dispenser. If the dispense cash option is selected, GreenDispenser attempts to query the registry location “HKEY_USERS\. Once the attacker enters the correct secondary PIN into the pinpad a second menu is shown (Figure 6), which allows access to the cash dispenser. We suspect that the attacker has an application that can run on a mobile phone with functionality to scan the barcode and derive the second PIN.
MACOS MALWARE RUNONLY AVOID DETECTION FIVE CODE
The contents of the QR code are randomly seeded and subjected to encryption using the Microsoft CryptoAPI followed by Base64 encoding, but we have chosen to forgo further discussion of details in order to avoid potential misuse of infected ATMs. If the right static Pin is provided it then displays the screen shown in Figure 5 prompting for a second Pin. It accepts input from the pinpad using a call to WFSExecute with the command set to “WFS_CMD_PIN_GET_DATA” as shown in Figure 4. GreenDispenser then waits in an infinite loop for input from the pinpad. If not found it defaults to “Pinpad1” which is the pinpad peripheral name on specific ATMs. DEFAULT\XFS\LOGICAL_SERVICES\class=PIN” to obtain the peripheral name for the Pinpad. GreenDispenser then initiates a session to the XFS manager using WFSStartUp and attempts to query the registry location “HKEY_USERS\. It is interesting to note that while this instance displays a message in English (or somewhat close to it), other instances displayed an out order message in Spanish with the string “Temporalmente fuera de servicio ”. GreenDispenser may initially display a message on the screen indicating that the ATM is out of service as shown in Figure 3.
MACOS MALWARE RUNONLY AVOID DETECTION FIVE WINDOWS
This window is created using the window style “WS_EX_TOPMOST“ to ensure that it overlays all other windows on the ATM screen. It then creates a second desktop environment on the ATM called “dDispW” and creates a window in the second desktop called “Dispenser”. If the checks pass, GreenDispenser proceeds to create a mutex called “dispenserprgm” to ensure that only a single instance of GreenDispenser is running. If these conditions are not met, then GreenDispenser simply quits. Performs a check to verify that the current year is 2015 and the current month is earlier than September. In addition, GreenDispenser has the capability to perform a deep delete after the heist to prevent forensic analysis and IR investigations.Īn initial inspection of the IAT (Import Address Table) in GreenDispenser shows usage of various XFS APIs through msxfs.dll in order to interface with the XFS middleware. This feature ensures that only an authorized individual has the ability to perform the heist. We suspect that the attacker has an application that can run on a mobile phone with functionality to scan the barcode and derive the second PIN - a two-factor authentication of sorts.
The attacker derives this second PIN from a QR code displayed on the screen of the infected ATM. Furthermore, GreenDispenser employs authentication using a static hardcoded PIN, followed by a second layer of authentication using a dynamic PIN, which is unique for each run of the malware. The malware strains Proofpoint inspected were coded to run only if the year was 2015 and the month was earlier than September, suggesting that GreenDispenser was employed in a limited operation and designed to deactivate itself to avoid detection. It achieves this by querying for peripheral names from the registry hive before defaulting to hardcoded peripheral names. GreenDispenser has the ability to target ATM hardware from multiple vendors using the XFS standard.
MACOS MALWARE RUNONLY AVOID DETECTION FIVE SOFTWARE
The XFS middleware allows software to interact with the peripherals connected to the ATM such as the pinpad and the cash dispenser by referencing the specific peripheral name. Specifically, GreenDispenser like its predecessors interacts with the XFS middleware, which is widely adopted by various ATM vendors.
0 kommentar(er)
