New Malware Targeting ATMs of Major U.S. Banks
Roshan Ashraf Shaikh / 4 years ago
A new malware called “Dump Memory Grabber” is found that has been collecting information about credit/debit card information from ATM and point-of-sale systems from major U.S. banks.
This malware is reported by a Russian-based security company called “Group IB” and it seems that the author who made this malware is affiliated with a Russian based cyber crime gang. The security company pointed out that the malware has already stolen multiple data of credit and debit cards from Major U.S. banks such as Chase, Capital One, Citibank and Union Bank of California. Currently Group IV has been working closely with VISA, U.S. banks and U.S. law enforcement agents by sharing its findings about the Dump Memory Grabber malware.
The “Dump Memory Grabber” malware collects and transfers Track 1 and Track 2 data which are encoded into the magnetic stripe of the credit/debit cards. These information includes first and last name, expiration and the bank account number. With this information, one can create a cloned physical debit card.
The malware is written using C++ without any additional libraries which adds itself to the system’s registry and runs automatically whenever the system is on. The malware then creates a txt file which contains memory dumps and stolen data, which is then transferred to a remote server via FTP. It was found that it is a Russian based as the IP address of the remote server originates from a Russian based ISP called “Selectel”, and it was associated with a domain name “CISLAB” which is a Russian company.
It was found that a Boston’s Blanchard’s Liquors also had their POS affected by a malware over the weekend and reports of some customers who have been charged for no reason. After notifying its other customers, they have taken down their credit card machines. Its not clear if they have been affected by the same malware.
Andrey Komarov, CTO of CERT-GIB who is affiliated with Group IB said pointed out they have also found one of the C&C (Command and Control) servers, but many POS and ATMS were infected, and the issue is currently under investigation.
Source: Security Week