Alice

Detected by Europol EC3 and Trend Micro in November 2016, Alice is a simple malware variant specifically designed to force an ATM to empty its cash dispenser. Unlike other ATM malware, Alice does not collect information and cannot be controlled by the device’s numeric PIN pad. In order to deploy this malware, threat actors must have physical access to an ATM via its USB ports or CD-ROM slots. Prior to running, Alice checks for compatible Extensions for File Services (XFS) systems by locating several registry keys and will display the message ‘Error -43!’ if a supported XFS system is not found. If successfully located, a window will appear requesting that the user enter an access code for authorization. Alice also has the capability to connect remotely via Remote Desktop Protocol (RDP); however, this feature does not appear to have been used in previous attacks.

Reporting and Technical Details: