An old piece of ATM malware is back, and reportedly more dangerous and harder to detect than ever. According to security researchers from Kaspersky Labs, an updated piece of malware dubbed Skimer has infected numerous Windows-based ATMs across all corners of the globe.
When installed, the updated version of Skimer checks to see if the file system is FAT32 or NFTS. If it’s the former, it “drops the file netmgr.dll in the folder C:\Windows\System32” and if it’s the latter, “the same file will be placed in the NTFS data stream corresponding to the XFS service´s executable file.” The end result is that the malware is harder for security officials to detect and make sense of.
Unlike other skimming malware programs, like Tyupkin, which becomes active in a specific time frame and is awakened by a ‘magic code’, Skimer may lie dormant for months until it is activated with the physical use of a ‘magic card.’ The magic card gives access control to the malware, which then offers a list of options that are accessed by inputting a choice on the pin pad.
Once an ATM is compromised and the Skimer malware resuscitated from its dormant state, cyber criminals can gather pertinent financial data from inserted cards and can even direct the machine to dispense money. And in an additional step to evade detection, the malware can even be instructed to self destruct.
A view of the Skimer malware in action, courtesy of Kaspersky, can be viewed below.