A Trojan that infects ATMs of one international manufacturer that are used by various banks in Russia and Ukraine. The Trojan's main payload is incorporated into a dynamic-link library stored in the NTFS stream of the following infected file: C:\WOSASSP\BIN\FWMAIN32.EXE.
If NTFS is used in the compromised system, Trojan.Skimer.19 also stores its logs in data streams as follows:
%windir%\desktop.ini:userA—transaction log (bank card tracks and encrypted PIN blocks),
%windir%\desktop.ini:userB—log on intercepted keys that are used to decrypt PIN codes.
If another file system is used in the compromised system, logs are saved to the following files:
%windir%\userA
%windir%\userB
Once the ATM's OS is infected, Trojan.Skimer.19 starts monitoring Encrypted Pin Pad (EPP) keystrokes waiting for a specific input combination that can initiate the execution of a command entered by a cybercriminal via EPP. This can be possible only if cybercriminals possess a special master card. The malicious program can execute the following commands:
- Save the log files on the cards chip, decrypt PIN codes.
- Remove the Trojan's library and log files, “cure” the host file, and reboot the system (cybercriminals issue the command to the infected ATM twice; the second command comes no later than 10 seconds after the first).
- Display statistics including the number of transactions, bank cards, intercepted encryption keys, and so on.
- Delete all log files.
- Reboot the system.
- Read the executable file from the card's chip to update the Trojan.
To decrypt intercepted data, Trojan.Skimer.19 uses the software installed on the ATM or its own version of the DES symmetric-key algorithm and encryption keys that were intercepted and saved into the userB log file earlier.