Virus Type: Virus / Malware
Also called: Backdoor.MSIL.Tyupkin
Tyupkin is a piece of malware that allows cyber criminals to empty cash machines via direct manipulation. This malware, detected by Kaspersky Lab as Backdoor.MSIL.Tyupkin, affects ATMs from a major ATM manufacturer running Microsoft Windows 32-bit.
The cyber criminals work in two stages:
Stage 1 –Access and Infection
First, they gain physical access to an ATM and insert a bootable CD to install the malware – code named Tyupkin (Backdoor.MSIL.Tyupkin). Once the ATM system has been rebooted, the infected ATM is under their control.
Stage 2 – Control and Theft
The infected ATM then runs in an infinite loop waiting for a command. In order to make the scam harder to identify, Tyupkin malware only accepts commands at specific times on Sunday and Monday nights. It is during those times that the cyber criminals are able to steal money from the infected machine.
Video Footage obtained from security cameras at the infected ATMs showed the methodology used to access cash from the machines. A unique digit combination key based on random numbers is freshly generated for every session. This ensures that no person outside the gang could accidentally profit from the fraud. Then the malicious operator receives instructions by phone from another member of the cyber-criminal gang who knows the algorithm and is able to generate a session key based on the number shown. This ensures that the mules collecting the cash do not try to go it alone.
When the key is entered correctly, the ATM displays details of how much money is available in each cash cassette, inviting the operator to choose which cassette to rob. After this the ATM dispenses 40 banknotes at a time from the chosen cassette.
Where is the Tyupkin virus infecting ATM machines?
Based on statistics culled from VirusTotal, malware submissions have been seen from the following countries:
Countries where the Tyupkin malware is live
View the Tyupkin ATM Security breach video