A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #32071  by oilen
 Fri Aug 31, 2018 7:21 am
Hi All,
thank you so much for the sample. I was able to use it with success. The SW is active and does it's job if properly used. It is designed for a specific SW vendor and it runs on all Vendor HW ATM versions that have the base installed. It will also run on any other ATM HW from other manufacturers but where the SW vendor base is installed and used for HW communication. SW connects directly to vendor libraries, bypassing XFS classic libraries. It is capable of direct control of dispensers and it shows deep knowledge of vendor platform.
More to follow,
JD
 #32091  by areverser
 Tue Sep 04, 2018 6:22 pm
Interesting text, but after analyzing i found it just exploit old type of ATMs cash out money just by using XFS classic, Cashout Dispenser
 #32092  by oilen
 Tue Sep 04, 2018 11:35 pm
Depends on the version you analyze. Because of the sensitivity of the subject i cannot name exactly what and how it attacks but if you have the latest SW versions of the vendor software you will be surprised that it works on those versions too including 4.0 and 4.1. The specific vendor we are talking about has two layers of SW in order to connect to the actual HW device. The latest version of Cutlet uses a lower layer because that is the one it looks for first.
 #32169  by gelek
 Thu Oct 04, 2018 7:12 am
oilen wrote: Tue Sep 04, 2018 11:35 pm Depends on the version you analyze. Because of the sensitivity of the subject i cannot name exactly what and how it attacks but if you have the latest SW versions of the vendor software you will be surprised that it works on those versions too including 4.0 and 4.1. The specific vendor we are talking about has two layers of SW in order to connect to the actual HW device. The latest version of Cutlet uses a lower layer because that is the one it looks for first.
do you have jabber?