How do you Spell “Success”? Not like this….

What do you get when you misspell “successful” and mix it up with a really nasty piece of ATM banking malware? Meet Suceful, the malware that makes you feel better about your own lack of spelling abilities but can rob you blind.

“I rob banks because that’s where the money is”.

Discovered by FireEye Labs this past August, Suceful is just one manifestation of the many different kinds of banking malware out there. Right in line with what Willie Sutton, the famed bank robber in the 1930’s said, the banks are where the money is, so banking malware, and ATM malware in specific isn’t so shocking. The banking industry is plagued with all sort of nasties trying to take money out of the accounts of innocent victims only to be redistributed into the creator’s pockets.

Recently we have seen ATM malware that can steal user’s PIN numbers from remote locations like gas pumps and attacks where ATM USB ports were physically switched by hackers for ports that relay information back to the hackers. As each hack is exposed, the the bar of what is expected from an attack is raised – The next attempt has to be bigger and better than the one before.

ATM Malware – The Next Generation

What makes Suceful so succe… errr..remarkable, is the scope of what it can do. According to FireEye, Suceful is “The next generation in ATM malware”. This is one piece of malware that does it all. Hackers infect the ATM machine with Suceful via the standard ATM hardware called XFS. All ATMs rely on XFS platforms to provide a client-server banking architecture. In general these platforms are pretty secure but some run default scripts which can lead to vulnerabilities.

Once infected, the malware can read encrypted information stored on the inserted card’s magnetic strip and can disable ATM sensors which helps the malware avoid detection. It retains PIN numbers and most shockingly, it can retain the physical credit card itself where it waits for the perps until they come to get it. Suceful can be executed on a wide range of ATM machines – some commonly found brands on which it can be deployed are NRC and Diebold.

Thus far Suceful has not been seen in the wild since it was first discovered by FireEye on a forum user’s computer. Given its impressive features though, it’s safe to assume that whoever created it may likely want to give it a whirl one day soon. Just think about CoreBot which we reported on last week – it took less than a month for the tiny password stealer to morph into another full blown banking trojan so stay tuned for more information!

In the meantime it’s a good idea to stay alert and if you notice anything out of the ordinary about an ATM, don’t use it. Keep your bank’s emergency number on hand and if your card is ever swallowed, inform your bank immediately.


Leave a Reply