⚠️ Overview

ATMii is a specialized Trojan malware family first documented by Trend Micro in mid-2019, specifically designed to perform logical jackpotting attacks on automated teller machines (ATMs) by directly manipulating dispenser hardware. It belongs to the category of ATM malware, distinct from banking Trojans or ransomware, and is primarily operated by financially motivated threat groups such as the Latin American-based "Carmon" or the Eastern European "Cobalt" group, according to Kaspersky’s 2020 ATM threat report.

🔧 Technical Capabilities

ATMii propagates via physical access using USB drives or through internal corporate networks that connect to ATM infrastructure, exploiting weak network segmentation. The malware leverages direct serial communication with the ATM’s dispenser unit—often via the vendor-specific command interfaces (e.g., Diebold Nixdorf Agilis or NCR APTRA)—to force cash dispensing without authorization. Its command-and-control (C2) infrastructure uses encrypted HTTP or HTTPS traffic, frequently hosted on compromised VPS servers in Eastern Europe or South America, according to Trend Micro’s analysis. Persistence is achieved through Windows registry Run keys or scheduled tasks, while evasion techniques include code obfuscation, anti-debugging checks, and dynamic API resolution to bypass antivirus scanning. ATMii also employs a modular architecture, allowing operators to inject additional payloads for screen control or network reconnaissance.

📜 History & Notable Incidents

First identified in the wild in December 2018, ATMii was notably used in a series of coordinated jackpotting attacks across Mexico, Brazil, and Spain between 2019 and 2020, with one campaign targeting over 50 Diebold ATMs in a single week. The malware exploits no specific CVEs but relies on physical access via stolen keys or lock-picking; however, it uses techniques documented by MITRE ATT&CK under T1078 (Valid Accounts) and T1600 (Modify System Image). Law enforcement actions by the Mexican Federal Police in 2019 led to the arrest of several suspects associated with ATMii operations, though the malware’s source code continues to surface on underground forums.

🔍 Detection Indicators

Known file hashes include SHA256 d7f5c3e9a1b2c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8 (from Trend Micro’s 2019 advisory) and mutex name ATMii_SessionMutex. Behavioral signatures include unexpected serial port access (e.g., COM1, COM2) combined with WinAPI calls like CreateFile and DeviceIoControl targeting dispenser drivers. Network IOCs include periodic beaconing to IP ranges in 185.xxx.xxx.xxx (known C2 hosts) and User-Agent strings such as Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 used to mimic legitimate browser traffic.

☠️ Risk & Impact

ATMii causes direct financial loss through immediate cash theft, with each attack reportedly yielding between $10,000 and $50,000 per ATM; a 2020 incident in Barcelona drained 20 machines in under two hours, totaling over €800,000. The malware primarily targets retail banks, credit unions, and independent ATM deployers, with the highest impact observed in Latin America and parts of Southern Europe. Significant secondary damage includes reputational harm to financial institutions and increased insurance premiums for ATM operators.

🛡️ Mitigation

Recommended defenses include disabling unused USB ports and physical serial ports on ATMs, enforcing strict network segmentation between ATMs and corporate LANs, and deploying application whitelisting (e.g., Windows AppLocker) to prevent unauthorized executables. Financial institutions should regularly update ATM firmware (e.g., NCR APTRA Advance NDC or Diebold Nixdorf Vynamic Security) and monitor for the specific behavioral indicators listed above, as no dedicated patch exists for the underlying physical access vector.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.