New malware can make ATMs not give users’ card back

“A new type of malware that can be used to compromise ATMs independently of who their manufacturer is, and can make the machine steal card data but also the cards themselves, has been spotted by FireEye researchers.

The dubbed the malware Suceful, after the authors’ faulty spelling of the word “successful”. The sample they analyzed came from VirusTotal, and it’s likely that the authors submitted it themselves in order to see whether the malware will be flagged down as such by the various AV engines employed by the testing service.

“Suceful was recently uploaded to VirusTotal from Russia, and based on its timestamp, it was likely created on August 25, 2015. It might still be in its development phase; however, the features provided are shocking and never seen before in ATM malware,” the researchers noted.

This particular sample can read all the credit/debit card track data and data from the card’s chip (if the card has one), retain or eject the inserted card on demand, and can be controlled by the attackers via the ATMs PIN pad.

The malware is also capable of disabling the ATMs door, alarm and proximity sensors to prevent malicious activities from being detected.

The malware authors managed to make it usable on various types of ATMs by leveraging the fact that XFS Manager – the middleware used in the machines – is vendor independent.


“Every vendor has its own implementation of the XFS Manager with proper security controls in place; however, they also support the default XFS Manager template provided by WOSA/XFS Standard allowing the attackers to create their own interface with the ATM,” the researchers explained.

This particular variant of Suceful was made to target ATMs manufactured by Diebold and NCR but, as mentioned before, this may change soon enough.

While it’s impossible for ATM users to spot a compromised machine, they are advised to be suspicious of machines that retain their cards. Giving a call to the bank if that happens is always a good idea, preferably while keeping an eye on the ATM in order to spot attempts by suspicious individuals to retrieve the card from the machine.”