ATM Malware “Cutlet Maker” Sold on the Darknet for $5,000
Experts from Kaspersky Lab have reported on a type of ATM malware called Cutlet Maker. Originally, this malicious software was advertised and distributed through the AlphaBay darknet marketplace, which was shut down by law enforcement last summer. Now, the operators of the malware have launched their own onion site, ATMjackpot, where they continue to sell their “product,” with only minor changes to its specifications in recent months.
How Cutlet Maker Works
According to advertisements for the malware, Cutlet Maker can be used to attack various ATM models and does not require interaction with users or their data. However, physical access to the machine is necessary, as the attack involves physically opening the ATM and connecting to its USB port. To control the cash dispensing, the malware uses an unnamed proprietary library.
Video Demonstrations
The criminals have also provided video demonstrations. Journalists from Bleeping Computer uploaded these videos to YouTube, showing actual ATM hacks in action:
What’s Included in the $5,000 Package?
Currently, Cutlet Maker is being sold for $5,000. According to Kaspersky Lab, this price includes a toolkit consisting of:
- Cutlet Maker (the main malware component)
- Stimulator (an app that collects data about the contents of the ATM’s cash cassettes)
- c0decalc (a simple app that generates special codes for the malware)
Researchers believe these tools may have been developed by different individuals. Bleeping Computer reports that the new version of Cutlet Maker sold on ATMjackpot no longer uses c0decalc; code generation is now handled directly through the criminals’ website.
Security and Countermeasures
In their report, Kaspersky Lab states that Kaspersky Embedded Systems Security (KESS) protects against Cutlet Maker. However, last week, analysts from Embedi published their own research (PDF) describing a method to bypass KESS.