Home / malware Backdoor.Padpin
First posted on 30 May 2014.
Source: SymantecAliases :
There are no other names known for Backdoor.Padpin.
Explanation :
Backdoor.Padpin is a Trojan horse that targets automated teller machines (ATM). The Trojan enables an attacker to use the ATM PIN pad to submit commands to the Trojan.
Once executed, the Trojan creates the following file, which can be placed in any folder on the compromised computer:
[PATH TO THREAT]\ulssm.exe
The Trojan then creates the following registry entries so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"ulssm.exe" = "[PATH TO THREAT]\ulssm.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"ulssm.exe" = "[PATH TO THREAT]\ulssm.exe"
The Trojan can delete itself if it fails to gain control of the PIN pad or dispenser.
The Trojan runs in the background until a specific code is entered on the ATM's PIN pad.
The Trojan then opens a back door on the compromised computer, allowing an attacker to perform the following actions:
Dispense money from the compromised ATMSelect which cassette the ATM dispenses money fromDisplay cassette information such as bills left, denomination and total amount per cassetteTemporarily disable the local network to avoid triggering alarms when withdrawing moneyExtend the duration of the session in order to continue stealing moneyDelete the Trojan from the compromised ATMLast update 30 May 2014
