TruShield is now Avertium! To learn more and see what's new, visit

Skimer Malware Targets ATMs

Email Us- 877.583.2841 -Request A Demo

Use This Form To Have A TruShield Team Member Contact You With More Information.

[gravityform id="8" title="false" description="false" ajax="true"]

Use This Form To Contact TruShield Inc Directly. Or you can call us at: 877.583.2841. We will respond back as quickly as possible!

Skimer Malware Targets ATMs

This is a security alert for all TruShield clients, the financial services industry, and the community at large. We have learned of a recent wave of threats targeting the financial service industry. The threat is a malware known as Skimer that targets ATMs.

About the malware

Skimer is a malware that was discovered by Kaspersky Lab in 2009 and it was the first malware to attack ATMs. Kaspersky Lab identified 49 variations of the malware and 37 of them are aimed at ATMs. In May, a new and improved version of Skimer was discovered and is challenging to evaluate. This is because the malware is concealed with a packer called Themida. According to Kaspersky researchers, Themida is a genuine packer that has been abused by many malware developers and it packs both the infector and the dropper. A malicious actor may use this malware at ATMs to dispense money and steal credentials from the card such as pin numbers and card numbers of victims.

How it works?

In action, the malware drops a file named netmgr.dll. Then, depending on whether the file system is FAT32 it will drop the file in the folder System32, or if it is NTFS it will be dropped in the NTFS data stream corresponding to XFS, an executable name SpiService.exe. According to the Kaspersky researchers, the part where the malware is dropped within the NTFS data stream makes it difficult to evaluate.

After the malware enters the system successfully it reboots the ATM and the malicious library uses a new LoadLibrary call to load into the SpiService.exe. The malware is then able to interact with the device by gaining total access to XFS.  The attackers control the malware by using two types of cards with specially crafted track 2 data. “One of the cards is designed for executing commands hardcoded in Track 2, while the other allows attackers to launch one of 21 predefined commands using the PIN pad and the malware interface,” As stated by Kovacs from SecurityWeek.

Then a malicious actor may use this malware at ATMs to dispense money and steal credentials from the card such as pin numbers and card numbers of victims. They can also utilize the interface to erase the malware, troubleshoot it, and upgrade it with code saved on the special card.


ATMs machines are accessible to anyone and it takes one malicious actor to compromise such systems to wreak havoc. As ATM malware advance it will become harder to detect, but the right security controls will prevent it.

Kaspersky researchers recommended mitigation steps below:

  • Detect infected ATM systems by observing within processing systems for card numbers that are in the Track2 IOCs below
  • Regular AV scans
  • Use whitelist technologies
  • Device management policies
  • Full disk encryption
  • Protection of ATM BIOS with a password
  • Only allowing HDD booting
  • Isolating ATM network from any other internal bank networks

 Indicators of Compromise


Track 2 Data




Download the PDF Version

Leave a reply

Copyright © 2018