Tyupkin: Malware which is designed for ATM infrastructure.

October 10, 2014

The Dell Sonicwall Threats Research team observed reports of an ATM bot family named GAV: Tyupkin.A actively spreading in the wild. The Tyupkin is one such example of ATM Malware which is designed for ATM infrastructure.

The malware could steal millions in cash from ATMs around the world without having to use a credit or debit card. Once Tyupkin is installed on an ATM, it allows the criminals to steal huge amounts of money by simply entering a series of codes.

Infection Cycle:

Md5: af945758905e0615a10fe23070998b9b

The Trojan adds the following files to the system:

    C:WINDOWSsystem32ulssm.exe [Executable file ]

    C:xfs_supp.sys [ 5120 KB null File ]

    C:xfstrace.log [Log File]

The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:



The malware needs to interact with ATM through the DLL library msxfs.dll, known as Extension for Financial Services (XFS Manager), on the system. Thats the reason dynamic analysis of such malware cannot be performed on a standard system.

The hackers need to gain physical access to the ATMs, allowing them to insert a Boot CD which installs the malware. The malware then runs in the background in an infinite loop awaiting a command from hackers (only accept commands at specific times such as Sunday and Monday nights)

To activate the malware, a unique combination key based on random numbers is generated, to avoid the possibility of a member of the public accidentally entering a code.

If malware failed to run on the system then it removes all its own credentials from the system and creates a log file such as following:

Here is an example of Log file C:xfstrace.log

Then it sends ping commands such as following:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • Tyupkin.A