Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

SUCEFUL, the first multi-vendor ATM malware

According to the malware researchers at FireEye Labs Suceful is the first multi-vendor ATM malware threatening the banking industry. Experts at FireEye have discovered a new strain of malware dubbed Suceful (Backdoor.ATM.Suceful) specifically designed to target ATMs. Malware designed to hack ATMs are not new, in the past security experts have already detected malicious codes used […]

SUCEFUL, the first multi-vendor ATM malware

According to the malware researchers at FireEye Labs Suceful is the first multi-vendor ATM malware threatening the banking industry.

Experts at FireEye have discovered a new strain of malware dubbed Suceful (Backdoor.ATM.Suceful) specifically designed to target ATMs. Malware designed to hack ATMs are not new, in the past security experts have already detected malicious codes used to make ATMs dispense cash, such as Ploutus or Tyupkin.

Why Suceful is singular?

According to the malware researchers at FireEye Labs Suceful is the first multi-vendor ATM malware threatening the banking industry.

The variant detected by FireEye appears to have been created on August 25, it was recently uploaded to VirusTotal from Russia and experts speculate that it could be the result of ongoing development.

FireEye Labs discovered a new piece of ATM malware (4BDD67FF852C221112337FECD0681EAC) that we detect as Backdoor.ATM.Suceful (the name comes from a typo made by the malware authors), which targets cardholders and is able to retain debit cards on infected ATMs, disable alarms, or read the debit card tracks.” states the blog post published by FireEye.

suceful

Similar to other ATM malware, SUCEFUL interacts with a middleware called XFS Manager which is the interface between the application (malware in this case) and the peripheral devices (e.g., printer, dispenser, card reader, in pad).

suceful 2 XFS manager

Almost every vendor has its own implementation of the XFS Manager despite they also support the default XFS Manager template.

According to the experts in Diebold or NCR ATMs, SUCEFUL is able to read credit/debit card data, and suppressing ATM sensors to avoid detection.

The SUCEFUL capabilities in Diebold or NCR ATMs include:

  1. Reading all the credit/debit card track data
  2. Reading data from the chip of the card
  3. Control of the malware via ATM PIN pad
  4. Retention or ejection of the card on demand: This could be used to steal physical cards
  5. Suppressing ATM sensors to avoid detection

FireEye is still investigating on the case, it has no evidence of how the crooks installed on SUCEFUL on the ATMs.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – SUCEFUL , ATM)