A fresh strain of ATM malware dubbed GreenDispenser is being used by hackers to drain cash from infected machines, according to researchers at security firm Proofpoint.
Once installed, the malware can display an "out of service" message on the ATM, yet attackers remain able to enter a specific PIN to drain money from the machine and even erase the malware by using a "deep delete" process.
Evidence suggests that GreenDispenser, which so far has only affected ATMs in Mexico and India, has to be installed manually.
"Initial malware installation likely requires physical access to the ATM, raising questions of compromised physical security or personnel," Thoufique Haq, threat researcher at Proofpoint, wrote in a blog post.
The malware seems to be operated by hackers with the help of a mobile application, using a QR reader to generate a PIN that is then used to access the machine.
"We suspect that the attacker has an application that can run on a mobile phone with functionality to scan the barcode and derive the second PIN - a two-factor authentication of sorts. This feature ensures that only an authorized individual has the ability to perform the heist," said Haq.
GreenDispenser also has the ability to delete itself - see menu below.
"Typically when a file is deleted, the operating system removes the reference pointer to the data but not the data itself. This allows files to be recovered using disk editors and forensics tools later in time."
The Proofpoint research team says that ATM malware is continuing to evolve, adding increasingly stealthy features.
"While current attacks have been limited to certain geographical regions such as Mexico, it is only a matter a time before these techniques are abused across the globe," writes Haq.
"We believe we are seeing the dawn of a new criminal industry targeting ATMs with only more to come. In order to stay ahead of attackers financial entities should re-examine existing legacy security layers and consider deploying modern security measures to thwart these threats."
Furthermore, according to Kevin Epstein, vice president of threat operations for Proofpoint, financial institutions should review their security in light of the numerous strains of ATM malware being uncovered.
"ATM malware such as GreenDispenser is particularly alarming because it allows cybercriminals to attack financial institutions directly, without the extra steps required to capture credit and debit card information from consumers - and with correspondingly less traceability," he said.
"In order to stay ahead of attackers, financial entities should re-examine existing legacy security layers and consider deploying modern security measures to thwart these threats."
The latest malware variant comes after FireEye Labs recently discovered a new piece of ATM malware, dubbed Suceful, which targets cardholders and is able to retain debit cards on infected machines.
Last year, a variant codenamed Tyupkin was uncovered on over 50 ATMs in eastern Europe by Kaspersky Labs.
BT wants to make the public switched telephone network history within eight years
Personal data being purloined by third parties via Facebook Login API
MacOS and iOS are better off apart, says CEO Tim Cook
Or they'll no longer be entitled to updates and bug patches