A Latin American/West Asia gang is believed to be behind several incidents of Automated Teller Machine (ATM) hacking in Malaysia involving about RM3 million being stolen from banks in Kuala Lumpur, Selangor, Malacca and Johor Baru over the past few days.

So far the banks that were targeted are Affin bank, Al-Rajhi Bank and Bank Islam, according to news reports. The gangs are also believed to be involved in burglary that hit more than 15 homes last year.

Images of the suspect released by the police. Source: Polis Diraja Malaysia (PDRM)

To date, six men and a woman believed to be from Panama and Guatemala were detained by police last Friday in two raids in Subang Avenue and USJ19, following two weeks of surveillance. The suspects, aged between 25 and 43, will be detained for 14 days to assist investigations.

Malaysia Royal Police (PDRM) Cyber Crime and Multimedia Investigation deputy director SAC Mohd Kamarudin Md Din said this was the first time in Malaysia that a virus was used to steal money from ATMs.

Initial investigations revealed that the syndicate had used a virus known as ULSSN to disrupt the ATM system. Police checks showed that the suspects had opened a panel on top of the ATMs using a common key before inserting a compact disc into the CD-ROM located in the machine to inject a malware known as Backdoor.Padpin (ulssm.exe). After infecting the machine with the malware, the suspects removed the CD and relocked the panel before starting to withdraw money from the machine.

The suspects will wait for instructions from other syndicate members who would also provide them with codes by phone. The codes would then be entered through the normal way using the ATM keypad.

The virus then reboots the ATM system and allows the syndicate to withdraw money multiple times from the targeted machines. After that the suspects would then stuff the ATM card slot with a SIM card or cigarette butts to prevent others from using the machine. This is believed to be a delay tactic so the tampering would not be immediately detected.

It was understood that the virus was created only to override the ATM’s system and not the other banking system and facilities. Police said bank accounts, belonging to individuals, were intact.

Some of the ATMs targeted were located at Jalan Yong Shook Lin, Petaling Jaya (Affin Bank, losses of RM303,000); Dataran Sunway (Al-Rajhi Bank, RM285,700); Seksyen 14, Petaling Jaya (Bank Islam, RM395,850); Kota Damansara (Bank Islam, RM221,160) and Kelana Jaya (Al-Rajhi) where the full amount lost has yet to be ascertained. Another Al-Rajhi Bank branch in Section 9, Shah Alam lost RM116,000 to similar hacking. The other ATMs are said to be located in Batu Pahat, Taman Molek (all in Johor) and Melaka Raya.

At the point of writing, only Affin Bank has so far assured customers that there has been no breach or compromise of their customer accounts.

According to data published by Symantec, the Backdoor.Padpin (ulssm.exe) malware was first detected on May 9 and is known to affect machines running on the Windows XP and Windows 7 operating systems. Symantec rates the malware as low risk.

Once executed, the Trojan creates the following file, which can be placed in any folder on the compromised computer: [PATH TO THREAT]ulssm.exe

The Trojan then creates the following registry entries so that it runs every time Windows starts:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun”ulssm.exe” = “[PATH TO THREAT]ulssm.exe”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun”ulssm.exe” = “[PATH TO THREAT]ulssm.exe”

The Trojan can delete itself if it fails to gain control of the PIN pad or dispenser. It runs in the background until a specific code is entered on the ATM’s PIN pad.

Once executed, the Backdoor.Padpin (ulssm.exe) malware opens a back door on the compromised computer/ATM machine, allowing an attacker to perform the following actions:

  • Dispense money from the compromised ATM
  • Select which cassette the ATM dispenses money from
  • Display cassette information such as bills left, denomination and total amount per cassette
  • Temporarily disable the local network to avoid triggering alarms when withdrawing money
  • Extend the duration of the session in order to continue stealing money
  • Delete the Trojan from the compromised AT

It also has the ability to delete its own files if it failed to control or dominate the ATM, to avoid detection.

To stop the malware, Symantec reveals that a firewall should be used to deny all incoming connections with a whitelist of allowed services. It also said a password policy should be enforced and autoplay of executable files should be disabled.

Police have set up a special task force to investigate the cases. They have also launched a special operation called “Ops Godam ATM” to hunt down the suspects.

Those with information on this case are urged to contact Senior Assistant Commissioner Mohd Kamarudin Md Din at 03-26163839 or the nearest police station.

Leave a Reply