Scribd
Upload
2K views16 pages

ATM-Jackpotting P4WNP1-style With Malware XFS - DIRECT: Frank Boldewin (@r3c0nst)

The document describes how attackers used a Raspberry Pi Zero running P4WNP1 to inject malware onto an ATM's operating system. P4WNP1 acts as a HID device to gain remote access via its backdoor. It then loads and executes the XFS_DIRECT malware, which presents a menu to dispense cash or display status messages by interfacing with the ATM's dispenser and PINPAD components. The malware disables network adapters to prevent alarms while in use. Analysis found the malware calls XFS functions to interface with the ATM's components and a YARA rule was created to detect it.

Uploaded by

ANZA HIDAYAT
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
2K views16 pages

ATM-Jackpotting P4WNP1-style With Malware XFS - DIRECT: Frank Boldewin (@r3c0nst)

The document describes how attackers used a Raspberry Pi Zero running P4WNP1 to inject malware onto an ATM's operating system. P4WNP1 acts as a HID device to gain remote access via its backdoor. It then loads and executes the XFS_DIRECT malware, which presents a menu to dispense cash or display status messages by interfacing with the ATM's dispenser and PINPAD components. The malware disables network adapters to prevent alarms while in use. Analysis found the malware calls XFS functions to interface with the ATM's components and a YARA rule was created to detect it.

Uploaded by

ANZA HIDAYAT
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

ATM-Jackpotting P4WNP1-style

with malware XFS_DIRECT


Frank Boldewin (@r3c0nst)
Background story 1/2

 Some time ago I had the opportunity to analyze a previously


unknown ATM malware.
 The malicious code resided on a Raspberry PI Zero W running
the Raspbian OS and the well-known USB attack platform
P4WNP1.
 P4WNP1 was configured to act as a HID device. As usual with
classic Jackpotting, the perpetrators gained physical access to
the PC inside the ATM. A process that is usually carried out by
using a simple key, drilling or levering on distinctive places.
 P4WNP1’s HID covert channel backdoor then tries to gain
remote access to the ATM’s operating system. This usually
works because Windows 7 to 10 have a Plug and Play install
feature if it detects attached HID devices.
ATM-Jackpotting P4WNP1-style with malware XFS_DIRECT 2
Background story 2/2

 If no device protection is in place, like a special filter driver


which whitelists trusted devices, P4WNP1’s HID backdoor code
then types out a PowerShell script, which builds and executes a
covert channel communication stack, initializes its basic
interface to the custom HID device and receives a PE Injection
Module, which then transfers+executes the final ATM malware.
 As the PI Zero W comes with wireless LAN connectivity,
attacker’s activated P4WNP1’s Wi-Fi Hotspot feature to provide
remote access via SSH. The perpetrators then reach the device
by using a SSH client on a Smartphone.

Let’s inspect the details!


ATM-Jackpotting P4WNP1-style with malware XFS_DIRECT
3
P4WNP1.PY: Stage1 + PE-Injection Module config parsing

Variable to P4WNP1’s Stage1


located in config.txt
Variable to P4WNP1’s PE-Injection Module  Stage1.ps1
also located in config.txt
 Invoke_Module.txt

P4WNP1’s original Mainhandler written in Python was adjusted by the perpetrators to inject the ATM malware.

ATM-Jackpotting P4WNP1-style with malware XFS_DIRECT 4


Stage1.ps1: PE-Injection Module loader code + final payload
loader code
PE-Injection Module “Invoke_Module.txt” gets Base64-unencoded and unzipped before execution.

The final payload (decimal ASCII text containing the ATM-Malware) gets loaded, transformed to a
binary blob and passed to the Invoke-ReflectivePEInjection routine inside “Invoke_Module.txt “

ATM-Jackpotting P4WNP1-style with malware XFS_DIRECT 5


Invoke-Module.txt: PE-Injection Module for final payload
injection
Invoke-ReflectivePEInjection takes the binary blob of the final Payload, injects the malware and executes it.
Original code has been taken from:
https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1

ATM-Jackpotting P4WNP1-style with malware XFS_DIRECT


6
The final payload (Obfuscation layer)

The Pi Zero W contains 5 payloads


(payload.txt and payload<1-4>.txt).
Depending on the configuration one
of them gets executed. All payloads
use the same obfuscation technique
to avoid detection.

ATM-Jackpotting P4WNP1-style with malware XFS_DIRECT


7
PE-compilation dates + SHA256 hashes
(obfuscated+unobfuscated)

Until 18th October 2019 these samples haven’t been emerged on Virustotal.

ATM-Jackpotting P4WNP1-style with malware XFS_DIRECT 8


First inspection of the ATM malware
called XFS_DIRECT (1/2)
 All samples seem to have the same code base,
with slight adjustments.
 After a bunch of initialization steps a menu is
presented to its users.
 The malware implemented a challenge/response
procedure to have control over its use.
 By entering ‘777’ via the ATM’s PINPAD a
session key is being generated and the user
has to enter a Master-Key. For testing purposes
it has been “patched” to accept every
response-key. ;)
 Afterwards the menu is loaded again but with
FULL ACCESS to dispense cash  ‘1’ via PINPAD 9
First inspection of the ATM malware
called XFS_DIRECT (2/2)
 Entering ‘55’ obtains CDM status information
 Entering ‘44’ presents an “Out of Service” message

ATM-Jackpotting P4WNP1-style with malware XFS_DIRECT 10


XFS_DIRECT under the hood (1/2)

At start XFS_DIRECT disables all network adapters to prevent alarms being send to the bank’s datacenter.
When exiting network adapters are reenabled again.
ATM-Jackpotting P4WNP1-style with malware XFS_DIRECT
11
XFS_DIRECT under the hood (2/2)
Dispenser (CDM) XFS function calls PINPAD (EPP) XFS function calls

ATM-Jackpotting P4WNP1-style with malware XFS_DIRECT


12
YARA rule to detect XFS_DIRECT

Also available here  https://raw.githubusercontent.com/fboldewin/YARA-rules/master/ATM.Malware.XFS_DIRECT.yar


13
Summary

 While attacks with a Raspberry PI Zero and a HID-backdoor


have already been shown as proof of concepts in the past by
some cybersecurity companies, this case proofs attackers also
use such techniques ITW.
 The new ATM malware XFS_DIRECT seamlessly joins a large
family of comparable malicious programs.
 Protective measures against these type of attacks are widely
documented and should be mandatory on ATMs.

ATM-Jackpotting P4WNP1-style with malware XFS_DIRECT


14
Final note!

The author of P4WNP1, Marcus Mengs (@mame82), kindly


asked me to reference the disclaimer of his framework. He’s
taking no responsibility for the abuse of P4wnP1 or any
information given in the related documents. It’s dedicated to
penetration-testers, redteamers and InfoSec personal.

https://github.com/mame82/P4wnP1/blob/master/DISCLAIMER.md

ATM-Jackpotting P4WNP1-style with malware XFS_DIRECT


15

You might also like