A new strain of malware that targets automated teller machines running Windows 7 and Windows Vista has been detected in the wild stealing account credentials and money from unsuspecting victims.

Detailed by security researchers at Kaspersky, the ATMii malware, also known as Backdoor.Win32.ATMii, is described as not being as sophisticated as similar ATM malware strains and only uses only two files: exe.exe and dll.dll. Criminals using the malware install it via either network or USB access to the targeted ATM and then run exe.exe to inject the malicious dll.dll. Once installed, the attacker is then able to interact with the legitimate atmapp.exe process and control the ATM.

“The injector is an unprotected command line application, written in Visual C with a compilation timestamp: Fri Nov 01 14:33:23 2013 UTC,” Kaspersky researcher Konstantin Zykov explained. “Since this compilation timestamp is from four years ago – and we do not think this threat could have gone unnoticed for four years – we believe it is a fake timestamp.”

Rather ironically, the malware is rated as having a fairly low-risk profile for the most unexpected of reasons: Most ATMs run Windows XP and are therefore unable to be infected by ATMii because it only works on later versions of Microsoft Corp.’s operating system.

“ATMii is yet another example of how criminals can use legitimate proprietary libraries and a small piece of code to dispense money from an ATM,” Zykov added. “Some appropriate countermeasures against such attacks are default-deny policies and device control. The first measure prevents criminals from running their own code on the ATM’s internal PC, while the second measure will prevent them from connecting new devices, such as USB sticks.”

Photo: oatsy40/Flickr