Kaspersky Lab says that it discovered the Tyupkin malware after a forensic investigation conducted at the request of an unknown financial institution. Interpol is now working with countries to investigate the software, which has been spotted in Europe, Latin America, and Asia.

The attack first requires crooks to gain physical access to ATMs so that bootable CDs can be installed. Then, after a system reboot the infected ATM is under control and the malware runs in an infinite loop waiting for a command.

To make the scam harder to spot, the Tyupkin malware only accepts commands at specific times on Sunday and Monday nights. During those hours, the attackers are able to steal money from the infected machine.

When a gang member visits an infected ATM a unique digit combination appears on the screen. This is relayed to another crook over the phone who knows the algorithm needed to generate a session key. When the key is entered, the ATM displays details of how much money is in each cash cassette and invites the operator to choose one. Once this is done, 40 notes are dispensed.



Vicente Diaz, principal security researcher, Kaspersky Lab, says: "Over the last few years, we have observed a major upswing in ATM attacks using skimming devices and malicious software. Now we are seeing the natural evolution of this threat with cyber-criminals moving up the chain and targeting financial institutions directly. This is done by infecting ATMs themselves or launching direct APT-style attacks against banks."

The security company is advising banks to review the physical security of their ATMs and network infrastructure, change default Bios passwords and make sure machines have up-to-date antivirus protection.