A fresh strain of ATM malware dubbed GreenDispenser is being used by hackers to drain cash from infected machines, according to researchers at security firm Proofpoint.
Once installed, the malware can display an "out of service" message on the ATM, yet attackers remain able to enter a specific PIN to drain money from the machine and even erase the malware by using a "deep delete" process.
Evidence suggests that GreenDispenser, which so far has only affected ATMs in Mexico and India, has to be installed manually.
"Initial malware installation likely requires physical access to the ATM, raising questions of compromised physical security or personnel," Thoufique Haq, threat researcher at Proofpoint, wrote in a blog post.
The malware seems to be operated by hackers with the help of a mobile application, using a QR reader to generate a PIN that is then used to access the machine.
"We suspect that the attacker has an application that can run on a mobile phone with functionality to scan the barcode and derive the second PIN - a two-factor authentication of sorts. This feature ensures that only an authorized individual has the ability to perform the heist," said Haq.
GreenDispenser also has the ability to delete itself - see menu below.
"Typically when a file is deleted, the operating system removes the reference pointer to the data but not the data itself. This allows files to be recovered using disk editors and forensics tools later in time."
The Proofpoint research team says that ATM malware is continuing to evolve, adding increasingly stealthy features.
"While current attacks have been limited to certain geographical regions such as Mexico, it is only a matter a time before these techniques are abused across the globe," writes Haq.
"We believe we are seeing the dawn of a new criminal industry targeting ATMs with only more to come. In order to stay ahead of attackers financial entities should re-examine existing legacy security layers and consider deploying modern security measures to thwart these threats."
Furthermore, according to Kevin Epstein, vice president of threat operations for Proofpoint, financial institutions should review their security in light of the numerous strains of ATM malware being uncovered.
"ATM malware such as GreenDispenser is particularly alarming because it allows cybercriminals to attack financial institutions directly, without the extra steps required to capture credit and debit card information from consumers - and with correspondingly less traceability," he said.
"In order to stay ahead of attackers, financial entities should re-examine existing legacy security layers and consider deploying modern security measures to thwart these threats."
The latest malware variant comes after FireEye Labs recently discovered a new piece of ATM malware, dubbed Suceful, which targets cardholders and is able to retain debit cards on infected machines.
Last year, a variant codenamed Tyupkin was uncovered on over 50 ATMs in eastern Europe by Kaspersky Labs.
Users are told that their non-existent 'iPhoneID' is expiring soon
Expansion of SDK intended to expand Amazon Alexa ecosystem
Locky returns from a prolonged rest with two new variants
AMD lambasted over Radeon RX Vega pricing that will add an extra £100 to RX Vega 56 and 64 graphics cards
Company accused of failing to tell anyone that the launch prices were only introductory offers