Cutlet Maker, An ATM Malware For Sale For $5,000

20/10/2017

Kaspersky researchers discovered a forum post in a darknet market advertising specific vendor ATM malware for $5,000.

ATMs (Automated Teller Machines) often run on outdated operating systems, like Microsoft's Windows XP. For this reason, many of the machines have become targets by cybercriminal operations in recent years.

According to the description, the malware contains a crimeware kit that is able to empty ATMs with a vendor-specific API without even needing to tamper with ATM users or their data.

The toolkit contained a password generator called c0decalc which can crack the ATM's system, and a simulator to scour ATM cassettes for funds, imitating a transaction and force the ATM to dispense cash.

In addition to that, the seller included details about necessary equipment, a detailed manual, and also tips and tricks to encourage an ATM to dispense cash.

The malware is dubbed "The Cutlet Maker". And as the name suggest, it requires two people to be involved in a heist. The roles are called "drop" and "drop master," the researchers said. "Access to the dispensing mechanism of Cutlet Maker is password protected.

Though there could be just one person with the c0decalc application needed to generate a password."

For a heist, the software needed to be stored inside a flash drive. Then the criminal is required to drill open the ATM machine to plug the flash drive into the USB port.

"Either network or physical access to an ATM is required to enter the code in the application text area and also to interact with the user interface," Kaspersky added.

After running the malware, the criminal must take this code, open the darkweb and access the ATMjackpot portal from their mobile devices, and enter the code to get a password that unlocks the Cutlet Maker app.

Then the criminal can use the Simulator app to query the ATM's cassette balance and start dispensing money.

Once they know how much money the ATM holds, they can use the four buttons in the Cutlet Maker app:

  • CHECK HEAT - dispenses one from the corresponding four ATM cassettes.
  • start cooking! - dispenses 60 notes in 50 different series.
  • Stop - stops a "Start cooking!" process.
  • Reset - resets the dispensing process.

This malware was originally published on AlphaBay, which has since been seized by the FBI.