Researchers at ProofPoint discovered an ATM malware variant dubbed GreenDispenser that is capable of forcing an ATM to empty its cash vault. Installation of GreenDispenser likely requires physical access to the ATM and operates by interacting with the machine’s XFS middleware, a platform that provides a common interface for financial services devices regardless of the manufacturer. XFS enables communication between the ATM hardware components including peripheral devices such as the PIN pad and cash dispenser. Once installed, an ‘out of service’ message is displayed in either English or Spanish on the ATM screen and can be bypassed by attackers via PIN codes. GreenDispenser limits its operation based on the date and utilizes two-factor authentication (2FA). For instance, researchers have detected samples that were limited to run during a specific year and prior to a certain month. GreenDispenser also uses a static hardcoded PIN and a second layer dynamic PIN derived from a QR code provided on the screen of the infected ATM. Threat actors are limited to four possible options including pressing one to dispense money, eight to delete the malware, eighty-eight to perform a force delete, or nine to pause operations.

Reporting and Technical Details: 

Image Source: ProofPoint