2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "2" ,
"date" : "2015-09-24" ,
"extends_uuid" : "" ,
"info" : "OSINT Meet GreenDispenser: A New Breed of ATM Malware by ProofPoint" ,
"publish_timestamp" : "1443162155" ,
"published" : true ,
"threat_level_id" : "4" ,
"timestamp" : "1443162075" ,
"uuid" : "560460c7-a840-4949-a92e-3c09950d210b" ,
"Orgc" : {
"name" : "CthulhuSPRL.be" ,
"uuid" : "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
} ,
"Tag" : [
{
"colour" : "#004646" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "type:OSINT" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1443127513" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "560460d9-bf3c-4c26-86fc-4072950d210b" ,
"value" : "https://www.proofpoint.com/us/threat-insight/post/Meet-GreenDispenser"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1443127523" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "560460e4-1450-436c-8a5e-3c08950d210b" ,
"value" : "Green Dispenser"
} ,
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1443161908" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5604e734-ba4c-4eaf-85e6-4bbc950d210b" ,
"value" : "20a1490b666f8c75c47b682cf10a48b7b0278068cb260b14d8d0584ee6c006a5"
} ,
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1443161908" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5604e734-b8f8-4c32-ae7e-484f950d210b" ,
"value" : "50db1f5e9692f217f356a592e413e6c9cb31105a94efc70a5ca1c2c73d95d572"
} ,
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1443161908" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5604e734-1324-4ac8-9836-4a95950d210b" ,
"value" : "7544e7a798b791cb36caaa1860974f33d30bc4659ceab3063d1ab4fd71c8c7e0"
} ,
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1443161908" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5604e734-b908-43ea-9db8-4391950d210b" ,
"value" : "b7e61f65e147885ec1fe6a787b62d9ee82d1f34f1c9ba8068d3570adca87c54f"
} ,
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1443161908" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5604e734-6af8-4e63-bb24-4d06950d210b" ,
"value" : "77850f738ba42fd9da299b2282314709ad8dc93623b318b116bfc25c5280c541"
} ,
{
"category" : "Payload installation" ,
"comment" : "- Xchecked via VT: 77850f738ba42fd9da299b2282314709ad8dc93623b318b116bfc25c5280c541" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1443161946" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5604e75a-a28c-4783-947a-412e950d210b" ,
"value" : "027f6e1ab57db86fc400e5c0ea8f943791ca9943"
} ,
{
"category" : "Payload installation" ,
"comment" : "- Xchecked via VT: 77850f738ba42fd9da299b2282314709ad8dc93623b318b116bfc25c5280c541" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1443161946" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5604e75a-7a7c-4aa6-96cb-4af4950d210b" ,
"value" : "e1f9360f952acf5dabdf2f46458e7842"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1443161947" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5604e75b-241c-41a9-91e3-47f3950d210b" ,
"value" : "https://www.virustotal.com/file/77850f738ba42fd9da299b2282314709ad8dc93623b318b116bfc25c5280c541/analysis/1443114801/"
} ,
{
"category" : "Payload installation" ,
"comment" : "- Xchecked via VT: b7e61f65e147885ec1fe6a787b62d9ee82d1f34f1c9ba8068d3570adca87c54f" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1443161947" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5604e75b-36a8-4889-b4cb-4fd5950d210b" ,
"value" : "25f4d7bd393fb8e65de716e6353a1ec11bf6d3b2"
} ,
{
"category" : "Payload installation" ,
"comment" : "- Xchecked via VT: b7e61f65e147885ec1fe6a787b62d9ee82d1f34f1c9ba8068d3570adca87c54f" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1443161948" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5604e75c-653c-498a-81a5-4bc1950d210b" ,
"value" : "bcd3cdbded825b96861bfbc7a399b89a"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1443161948" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5604e75c-ae18-459c-b4af-4b43950d210b" ,
"value" : "https://www.virustotal.com/file/b7e61f65e147885ec1fe6a787b62d9ee82d1f34f1c9ba8068d3570adca87c54f/analysis/1443109076/"
} ,
{
"category" : "Payload installation" ,
"comment" : "- Xchecked via VT: 7544e7a798b791cb36caaa1860974f33d30bc4659ceab3063d1ab4fd71c8c7e0" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1443161948" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5604e75c-a284-42e5-8eed-4d69950d210b" ,
"value" : "d9aae7e14b1f6267bc37d5c2ea3ee681b90fbed2"
} ,
{
"category" : "Payload installation" ,
"comment" : "- Xchecked via VT: 7544e7a798b791cb36caaa1860974f33d30bc4659ceab3063d1ab4fd71c8c7e0" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1443161949" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5604e75d-872c-497f-baa5-410d950d210b" ,
"value" : "bff1bf173b934a4255b4eca0fbaa6309"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1443161949" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5604e75d-26e8-4f8f-9c72-40ce950d210b" ,
"value" : "https://www.virustotal.com/file/7544e7a798b791cb36caaa1860974f33d30bc4659ceab3063d1ab4fd71c8c7e0/analysis/1442563668/"
} ,
{
"category" : "Payload installation" ,
"comment" : "- Xchecked via VT: 50db1f5e9692f217f356a592e413e6c9cb31105a94efc70a5ca1c2c73d95d572" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1443161950" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5604e75e-b604-447e-902a-460b950d210b" ,
"value" : "8f9428c689aa1953293d240e83530ec00fe1df47"
} ,
{
"category" : "Payload installation" ,
"comment" : "- Xchecked via VT: 50db1f5e9692f217f356a592e413e6c9cb31105a94efc70a5ca1c2c73d95d572" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1443161950" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5604e75e-c110-4e21-97d1-46df950d210b" ,
"value" : "1dbac403209d1f5aac9bdac28d4ea335"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1443161951" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5604e75f-d9f4-4589-8cf0-4836950d210b" ,
"value" : "https://www.virustotal.com/file/50db1f5e9692f217f356a592e413e6c9cb31105a94efc70a5ca1c2c73d95d572/analysis/1442618989/"
} ,
{
"category" : "Payload installation" ,
"comment" : "- Xchecked via VT: 20a1490b666f8c75c47b682cf10a48b7b0278068cb260b14d8d0584ee6c006a5" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1443161951" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5604e75f-d2c4-4f94-811d-4494950d210b" ,
"value" : "b3401a57ddde3b944bafd348f6575ce195883acc"
} ,
{
"category" : "Payload installation" ,
"comment" : "- Xchecked via VT: 20a1490b666f8c75c47b682cf10a48b7b0278068cb260b14d8d0584ee6c006a5" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1443161952" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5604e760-48dc-4143-847a-4bbe950d210b" ,
"value" : "c10b0157f6fd6590424a748f3c6c80ee"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1443161952" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5604e760-a404-4a18-8940-4b3e950d210b" ,
"value" : "https://www.virustotal.com/file/20a1490b666f8c75c47b682cf10a48b7b0278068cb260b14d8d0584ee6c006a5/analysis/1443136260/"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1443161975" ,
"to_ids" : false ,
"type" : "mutex" ,
"uuid" : "5604e777-35b8-43eb-aa1d-4f7c950d210b" ,
"value" : "dispenserprgm"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1443162020" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5604e7a4-0054-4380-8b2f-4026950d210b" ,
"value" : "GreenDispenser"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1443162075" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "5604e7db-6620-4451-8736-4bf2950d210b" ,
"value" : "On the heels of recent disclosures of ATM malware such as Suceful [1], Plotus [2] and Padpin [3] (aka Tyupkin), Proofpoint research has discovered yet another variant of ATM malware, which we have dubbed GreenDispenser.\r\n\r\nGreenDispenser provides an attacker the ability to walk up to an infected ATM and drain its cash vault. When installed, GreenDispenser may display an \u00e2\u20ac\u02dcout of service\u00e2\u20ac\u2122 message on the ATM -- but attackers who enter the correct pin codes can then drain the ATM\u00e2\u20ac\u2122s cash vault and erase GreenDispenser using a deep delete process, leaving little if any trace of how the ATM was robbed.\r\n\r\nDeployment and Operation\r\n\r\nInitial malware installation likely requires physical access to the ATM, raising questions of compromised physical security or personnel. Once installed, GreenDispenser is similar in functionality to Padpin but does exhibit some unique functionality, such as date limited operation and a form of two-factor authentication.\r\n\r\nSpecifically, GreenDispenser like its predecessors interacts with the XFS middleware [4], which is widely adopted by various ATM vendors. The XFS middleware allows software to interact with the peripherals connected to the ATM such as the pinpad and the cash dispenser by referencing the specific peripheral name. GreenDispenser has the ability to target ATM hardware from multiple vendors using the XFS standard. It achieves this by querying for peripheral names from the registry hive before defaulting to hardcoded peripheral names.\r\n\r\nThe malware strains Proofpoint inspected were coded to run only if the year was 2015 and the month was earlier than September, suggesting that GreenDispenser was employed in a limited operation and designed to deactivate itself to avoid detection. Furthermore, GreenDispenser employs authentication using a static hardcoded PIN, followed by a second layer of authentication using a dynamic PIN, which is unique for each run of the malware. The attacker derives this second PIN from a QR code displayed on the screen of the infected ATM. We suspect that the attacker has an application that can run on a mobile phone with functionality to scan the barcode and derive the second PIN -- a two-factor authentication of sorts. This feature ensures that only an authorized individual has the ability to perform the heist. In addition, GreenDispenser has the capability to perform a deep delete after the heist to prevent forensic analysis and IR investigations."
}
]
}
}