Cybercrime gang using 'Ripper' malware in spate of bank ATM heists

Cybersecurity experts at FireEye believe they have detected the strain of malware being used in a sophisticated hacking scheme across Southeast Asia that is targeting specific brands of cash machines to steal millions in local currencies. The malware in question, dubbed "Ripper", was first spotted by the firm on the same day as reports emerged that Thailand's Government Savings Bank (GSB) was shutting down half of its ATMs amid a police probe after hackers compromised 12 million baht (£260,000, $350,000) in early August.

According to FireEye researcher Daniel Regalado, the Ripper malware builds on a number of known ATM exploits – including Tyupkin and GreenDispenser – and contains a number of "interesting techniques not seen before."

Upon analysis, Regalado said indicators strongly suggest Ripper was used in the Thailand attack. "We've identified a family of malware that may have been used in recent ATM robberies and which bears some similarities to known families of malware." the researcher said.

He continued: "This malware family can be used to compromise multiple vendor platforms and leverages uncommon technology to access physical devices.

"In addition to requiring technical sophistication, attacks such as that affecting the ATMs in Thailand require coordination of both the virtual and the physical. This speaks to the formidable nature of the thieves."

In a previous series of cyberattacks, believed to have taken place between 9-10 July this year, the top eight banks in Taiwan were forced to shut down activity on hundreds of its cash machines after criminals used malware to steal NT$70m ($2.17m, £1.64m, €1.9m) in cash.

Both ATM-based attacks to date have been blamed on an "international organised crime ring" that is thought to be from Eastern Europe.

FireEye said the Ripper malware is the first known strain that is able to target three of the main ATM vendors worldwide. Additionally Regalado said that, based on statements from bank officials, Ripper matches the techniques used by this suspected gang,

He said it "interacts with the ATM by inserting a specially manufactured ATM card with an EMV chip that serves as the authentication mechanism" and added that "although this technique was already used by the Skimmer family, it is an uncommon mechanism."

As noted, Regalado revealed Ripper appears to be an evolution of previously-disclosed techniques. In the case of GreenDispenser, which was covered in detail by cybersecurity firm Proofpoint, it was found to give attackers the ability to "walk up to an infected ATM and drain its cash."

Adding to mounting evidence that Ripper is being actively exploited in the Southeast Asia region, FireEye found a version of the malware was added to Google's VirusTotal on the same day as news reports of the Thailand hack emerged.

Despite being a service used by cybersecurity researchers and technology firms to check software for any known bugs, some experts believe cybercriminals also use the service to check if their exploits can bypass popular anti-malware tools before launching attacks on victims.