GreenDispenser malware makes ATMs spit out cash

HITBSecConf2019 - The 10the annual HITB Security Conference in The Netherlands - Trainings, Conference track and Haxpo exhibition. Register now.

“A new type of malware is being used to drain ATMs in Mexico of all the cash they contain. Dubbed GreenDispenser by Proofpoint researchers, the malware displays an “out of service” message, but attackers who enter the right PIN code make the machines spit out money.


“Initial malware installation likely requires physical access to the ATM, raising questions of compromised physical security or personnel,” the researchers noted.

As Suceful before it, GreenDispenser also has the ability to target ATM hardware from multiple vendors using the XFS standard.

A particularly curious thing is that the malware is set to run during a specific period – 2015, earlier that the month of September.

“GreenDispenser employs authentication using a static hardcoded PIN, followed by a second layer of authentication using a dynamic PIN, which is unique for each run of the malware. The attacker derives this second PIN from a QR code displayed on the screen of the infected ATM,” the researchers explained.

“We suspect that the attacker has an application that can run on a mobile phone with functionality to scan the barcode and derive the second PIN – a two-factor authentication of sorts. This feature ensures that only an authorized individual has the ability to perform the heist.”

Finally, the malware can delete itself after the theft is executed.

The researchers say that the current attacks have been limited to Mexico, but the malware can just as easily be used to compromise ATMs around the world – and they probably will, in time.

ATM malware such as GreenDispenser is particularly alarming because it allows cybercriminals to attack financial institutions directly, without the extra steps required to capture credit and debit card information from consumers and with correspondingly less traceability,” commented Kevin Epstein, VP of Threat Operations for Proofpoint. “In order to stay ahead of attackers, financial entities should re-examine existing legacy security layers and consider deploying modern security measures to thwart these threats. “