New ATM malware called Alice set on stealing cash

The malware first appeared in 2014 and its only function is that it connects to the currency dispenser peripheral in the ATM. Alice makes no attempt to connect to other ATM hardware such as the machine’s PIN pad, therefore it is not controlled by commands issued via the PIN pad. It also has no elaborate install or uninstall process, and works simply by running the executable in the target environment.

In order to use it, a criminal would need to physically open up an ATM and infect the system using a CD-ROM or an USB. They would then need to connect a keyboard to the machine’s motherboard to operate the malware.

To get an infected machine to dispense cash, the fraudster needs to enter a specific four-digit PIN using the keyboard connected to the motherboard. If the correct PIN is entered, the malware pops up a sort of operator panel on the ATM display listing all the cassettes containing money in the machine.

By entering each cassette number in the operator panel, the attacker can get an ATM to dispense all of its cash. Even if most ATMs have a 40-currency note limit when dispensing cash, Alice dynamically keeps updating the stored cash levels in each cassette and displays it in the operator panel so the attacker knows when they are closing to emptying the cassette.