Backdoors Affect Bitcoin ATMs and ATMs Alike

The Bitcoin ATM, as a relatively new industry, has perhaps not been put to the test like Bitcoin exchanges. This has some criminals worrying if Bitcoin ATMs could be a good place to steal value. 

Criminals all over the world already target regular ATMs, so, perhaps thinking that the amateur-nature of Bitcoin could make such ATMs susceptible, bugs and malware have been designed for a Bitcoin ATM.

Russian security firm malware researchers at a Russian security firm identified a new Trojan designed for Linux devices which takes screenshots and logs keystrokes.

Researchers at the security firm Dr Web suggests that the Linux spyware (labeled Linux.BackDoor.Xunpes.1) was designed to specifically target Bitcoin ATMs made by Spain-based Bitcoin startup Pay MaQ.

Dr Web researchers highlight a “dropper” or installed package of the malware, which activates upon a login page bearing Pay MaQ’s logo. Once the package is run, a backdoor is saved to the folder /tmp/.ltmp/.

The backdoor allows a remote server to connect with encryption and take screenshot and logging keystrokes and then retransmits the resulting data. The malware researchers could not say for certain if Pay MaQ is the only Bitcoin ATM software targeted.

Pay MaQ originally ran an Indiegogo campaign in 2014 to fund “low-cost” Bitcoin ATM’s, but did not meet a  €60,000 target. Why such a bug would be designed for a machine of essentially no consequence.

“The investigation is still ongoing,” Dr Web’s spokesman said. “The C&C server was hosted on some suspicious website which went 403 a few days ago. Maybe victims were downloading malware from there and it got shut down after getting attention from infosec specialists.”

Not only have Bitcoin ATM’s been targeted. Law enforcement authorities in Romania and the Moldova recently neutralized earlier this month a criminal network responsible for the theft of 200,000 euros from ATM’s in the European Union and Russia through a malware bug.

Researchers first documented the malware in October 2014, dubbing it Tyupkin, which can be installed on ATMs through a CD. Using the software, an ATM will dispense cash through commands entered on its PIN pad. The attackers targeted machines made in the US by manufacturer NCR.

The bug instructed the ATM software to delete itself after theft was completed. ATMs in Romania, Moldova, Hungary, Czech Republic,Spain and Russia were targeted. Researchers have also recently found another bug, called Padpin, used to infect ATMs.  But those are not the only ATMs recently compromised.

FireEye, in September, discovered another ATM malware program dubbed Suceful, which locked people’s credit and debit cards inside ATMs. Also in September, another malware program, called GreenDispenser, was found on ATMs in Mexico.

Featured image from Shutterstock.

Justin O'Connell is the founder of financial technology focused Justin organized the launch of the largest Bitcoin ATM hardware and software provider in the world at the historical Hotel del Coronado in southern California. His works appear in the U.S.'s third largest weekly, the San Diego Reader, VICE and elsewhere.