Home / malware Trojan:Win32/Greeodode.A
First posted on 28 September 2015.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Greeodode.A.
Explanation :
Threat behavior
This threat targets ATMs (automatic teller machines). It infects the hard disk of the ATM, and causes the ATM screen to display an error message such as "We regret this ATM is temporarily out of service".
The threat waits for a specific PIN that is hardcoded into its code. The PIN is specific to the person who installed the malware onto the ATM, and is not tied to any normal banking account.
After it receives this special PIN, the malware requests a second PIN that is generated through a QR code displayed on the ATM's screen.
The hacker uses the QR code to generate and insert the second PIN and can then steal cash from the ATM.
The use of a QR code to generate a second PIN ensures that only the hacker who installed the malware can steal from the ATM.
After the hacker has stolen cash from the machine, the malware can delete itself from the ATM's hard disk to try to thwart future analysis of the infection.
Related information
Proofpoint has a detailed analysis of this malware, which they call GreenDispenser:
Symptoms
- https://www.proofpoint.com/us/threat-insight/post/Meet-GreenDispenser
Alerts from your security software might be the only symptom.
Last update 28 September 2015
