ATMjackpot

A hacker or hacker group is selling a strain of ATM malware that can make ATMs spit out cash just by connecting to its USB port and running the malware.

Named Cutlet Maker, this strain has been sold on the AlphaBay Dark Web marketplace since May 2017, but today, its operators opened a new standalone website after US authorities had taken down AlphaBay in mid-July.

Crooks launch ATMjackpot

This new website is named ATMjackpot and sells the same ATM malware strain, albeit with some modifications.

Its operators claim that Cutlet Maker can work on any Wincor Nixdorf ATM, and all that's needed is access to the ATM's USB port.

The ATMjackpot crew posted four videos that show how someone can gain access to an ATM's USB port, connect the needed hardware, run the malware, and make the ATM spit out cash. Bleeping Computer has uploaded two of the four videos on YouTube, embedded below. We removed the sound from one video as it contained a copyrighted song.

Btw, did you notice the hilariously easy way of getting physical access? Once, crooks needed explosives, powerful drills, or chains to tie the ATM's interface to a car. Not anymore. A knife is all you need.

Cutlet Maker is currently sold on the ATMjackpot portal for $1,500 worth of Bitcoin, a price that will double starting with the buyer's second month.

The price of this fee represents one credit, and one credit is valid for cashing out one ATM.

How Cutlet Maker works

As described in the video above, a typical Cutlet Maker attack takes place when crooks approach an isolated ATM, expose its USB port, and connect a USB hub. In the hub, they connect a wireless keyboard and mouse, and a Flash storage device on which they're storing the Cutlet Maker malware.

The malware package consists of two files: Cutlet Maker (the main app used to interact with the ATM's software APIs) and Stimulator (an app to get the content of each of the ATM's cash cassettes).

Once they're connected, users must run the main Cutlet Maker malware. When they do, the malware displays a code in the bottom-right corner of the window.

Cutlet Maker app GUI

Buyers must take this code, access the ATMjackpot portal from their phone (with Tor installed) and enter the code to get a password that unlocks the Cutlet Maker app.

ATMjackpot website

ATMjackpot website

Crooks can then use the Simulator app to query the current ATM cassette balance and start dispensing money.

Once they know how much money the ATM holds, they can use the four buttons in the Cutlet Maker app. Each of these buttons does the following:

CHECK HEAT - dispenses one from the corresponding four ATM cassettes
start cooking! - dispenses 60 notes in 50 different series
Stop - stops a "Start cooking!" process
Reset - resets the cash dispensing process

Malware previously sold on AlphaBay

Kaspersky Lab has also released today a report that details how an older version of the Cutlet Maker malware worked. The report describes the version sold on AlphaBay earlier in the year.

The malware sold on the ATMjackpot website launched today works differently. The AlphaBay version used three files, with the two from above plus c0decalc — an file that worked as a license generator for the main app. In its most recent version, the ATMjackpot Dark Web portal appears to have replaced the c0decalc file.

According to the same report, the Cutlet Maker malware is coded in Delphi, and its name comes from Russian jargon, where the word "cutlet" means "roll of money."

Kaspersky claims that ATMs protected with the Kaspersky Embedded Systems Security (KESS) will block Cutlet Maker from working. A report published last week by Embedi researchers has shown a way to bypass KESS.