Researchers from Kaspersky Labs warn that the Skimer malware, first spotted in 2009, is once again infecting ATM machines worldwide. An improved version of Backdoor.Win32.Skimer has been discovered infecting machines worldwide. The new Skimer allows criminal access to card data, including PIN numbers, as well as to the actual cash located in the machine.
The malicious installers use the packer Thermida to disguise the Skimer malware which is then installed on the ATM. If the ATM file system is FAT32, the malware drops the file netmgr.dll in the folder C:\Windows\System32. If the ATM has an NTFS file system, netmgr.dll is placed in the executable file of the NTFS data stream, which makes detection and analysis of the malware more difficult.
Unlike other skimming malware programs, like Tyupkin, which becomes active in a specific time frame and is awakened by a ‘magic code’, Skimer may lie dormant for months until it is activated with the physical use of a ‘magic card.’ The magic card gives access control to the malware, which then offers a list of options that are accessed by inputting a choice on the pin pad.