Home / malwarePDF  

Backdoor:MSIL/Sidkey.A


First posted on 10 October 2014.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:MSIL/Sidkey.A.

Explanation :

Threat behavior

Backdoor:MSIL/Sidkey.A can be used to infect ATM machines to dispense money.

Installation

Backdoor:MSIL/Sidkey.A creates the following registry entry so that it runs each time the ATM machine starts:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "AptraDebug"
With data: "\ulssm.exe"

It tries to take control of the PIN pad of an infected ATM machine and might display all the available keys. If the malware is not successful in taking control of the PIN pad, it deletes itself, including all registry entries and files.

Payload

Dispense money from ATM machines

Backdoor:MSIL/Sidkey.A creates a hidden window with name "APTRASST1" that will accept certain keys to enable the trojan. It can display the "ENTER SESSION KEY TO PROCEED!" screen which can accept keys and run the following ATM machine operations:

  • Disable the local area connection, to avoid alarm.
  • Delete traces of the malware, including files and registry.
  • Extend session time. When successful the machine will display "TIME WAS EXTENED. +++".
  • Display cassette information by showing "Nr. of cash unit structures is: ". This shows how much money is left for that specific cassette.


This threat can dispense money from a specific cassette number. When this is successful the machine displays the following message:

DISABLING LOCAL AREA NETWORK...
PLEASE WAIT..."
DISPENSE PERMISSION GRANTED
TO START DISPENSE OPERATION -
ENTER CASSETTE NUMBER AND PRESS ENTER.

If the attack is not successful, the ATM machine will display the following message:

INVALID CASSETTE NUMBER!
INVALID CASSETTE NUMBER. TRY AGAIN.
TO START DISPENSE OPERATION -
ENTER CASSETTE NUMBER AND PRESS ENTER.

If the operation is still not successful, it will display the following messages and wait for the correct key:

DISPENSE OPERATION DENIED. ENTER SESSION KEY.



Analysis by Ferdinand Plazo

Symptoms

The following could indicate this threat is active on an ATM machine:

  • It displays these messages:

    DISABLING LOCAL AREA NETWORK...
    PLEASE WAIT..."
    DISPENSE PERMISSION GRANTED
    TO START DISPENSE OPERATION -
    ENTER CASSETTE NUMBER AND PRESS ENTER.

    INVALID CASSETTE NUMBER!
    INVALID CASSETTE NUMBER. TRY AGAIN.
    TO START DISPENSE OPERATION -
    ENTER CASSETTE NUMBER AND PRESS ENTER.

    DISPENSE OPERATION DENIED. ENTER SESSION KEY.

Last update 10 October 2014

 

TOP

Malware :

Family: