Skip to main content

New ATM malware steals cash and disappears without a trace

A new ATM malware was spotted out in the wild, allowing hackers to drain cash from infected machines.

The news was unveiled by security company Proofpoint, which calls the malware GreenDispenser.

“When installed, GreenDispenser may display an ‘out of service’ message on the ATM -- but attackers who enter the correct pin codes can then drain the ATM’s cash vault,” it says in the blog, adding that the malware can use the deep delete process to completely erase any trace of it ever being there.

"Initial malware installation likely requires physical access to the ATM, raising questions of compromised physical security or personnel," Thoufique Haq, threat researcher at Proofpoint, wrote in a blog post.

It seems as the malware needs to be operated via a mobile app, using a QR reader to generate a PIN that is then used to access the machine.

"We suspect that the attacker has an application that can run on a mobile phone with functionality to scan the barcode and derive the second PIN - a two-factor authentication of sorts. This feature ensures that only an authorized individual has the ability to perform the heist," said Haq.

GreenDispenser can also delete itself.

"Typically when a file is deleted, the operating system removes the reference pointer to the data but not the data itself. This allows files to be recovered using disk editors and forensics tools later in time."

Proofpoint concludes the report by saying that ATM malware continues to evolve, becoming stealthier in the process, and that financial institutions should re-examine existing legacy security layers.