Alice Malware Introduces a New Era in ATM Hijacking

Alice ATM Malware is a new family of ATM malware, discovered by the researchers from Trend Micro. On the 20th of December, 2016, an article about the malware was published on the official blog of the company. The blog posted contains an extensive analysis of the malware. In our post we are going to introduce you with Alice and give you the idea of what this specific malware is like.

BKDR_ALICE.A is the name Alice is detected by the security software of Trend Micro. The malware was uncovered in November (2016) with the help of Europol EC3. However, according to the forensics of the virus, Alice has been definitely active since the October of 2014. It differs from other ATM malwares in its functionality, which is a mere emptying of ATMs. While the previous ATM viruses used to be managed by the numeric pad of the machines, Alice is infected into the system through CD-ROM or USB, after the ATM has been physically opened. Then a keyboard is connected to the mainboard of the machine and the virus can be controlled. In addition to this, Alice does not possess the features of an info-stealer.

This new distinct ATM-targeting malware Alice has got its name from its executable, where it is called Project Alice.

 

The malware has been designed to run on XFS environment, which is the Microsoft Extended Financial Services middleware. On an interesting note, its binary is bundled with VMProtect security software. The latter program fulfills the function of determining whether the bundled malicious program file is running in a fake testing system or not. If the system is fake, the following warning message is popped up:

 

There are other steps Alice takes to ensure that it is working on a real ATM. One of which is the inspection of the system’s registry for these registry values: HKLM\SOFTWARE\XFS and HKLM\SOFTWARE\XFS\TRCERR. If the latter entries are non-existent, Alice is programmed to cancel its installation. Additionally, MSXFS.dll, XFS_CONF.dll and XFS_SUPP.dll are the DLL files, which also let to indicate whether the system can be the target realized. In the case of an artificial machine the following window is popped up:

 

In the case of a real machine – this one:

 

Once on the device, Alice ATM horror generates two files: xfs_supp.sys and TRCERR.LOG. The first file is an empty over 5 MB file. The second file is the file, which logs errors. It remains on the machine, probably because of the programming flaws of Alice. The malware initiate a connection with CurrencyDispenser1 peripheral. If the connection fails, the error is logged in TRCERR.LOG file. If the connection succeeds, the certain PIN input can give the certain commands to the malware:

 

However, if incorrect PIN codes have been entered, the following pop up is displayed and Alice terminates itself:

 

If correct PINs have been hit the following screen is presented, which shows the contents of the machine:

 

Now the ATM can be emptied to the bottom. When the cassette ID has been put in, a dispense command is issued to the CurrencyDispenser1 via the WFSExecute API and cash is dispensed. The procedure can be repeated multiple times till all the cash is dispensed. Alice malware is found on the affected systems as a taskmgr.exe file.

Source: blog.trendmicro.com.