DispenserXFS

Malware

⚠️ Overview

DispenserXFS is a specialized ATM cash-out malware family first documented by Trend Micro in November 2020, targeting financial institutions primarily in Latin America, especially Brazil. It is categorized as a financial trojan designed to compromise the XFS (Extensions for Financial Services) middleware on ATMs, allowing attackers to command the cash dispenser directly without physical access. The malware is attributed to a financially motivated group tracked by Mandiant as UNC419 (also known as “Prilex” by Kaspersky), active since at least 2018.

🔧 Technical Capabilities

DispenserXFS propagates through spear-phishing emails (MITRE T1566.001) targeting bank employees, followed by lateral movement using Windows Admin Shares and RDP (T1021.001). Once on an ATM or a bank’s internal server, it uses command-line execution (T1059.003) to load a malicious DLL that interfaces with the XFS Manager (a legitimate Windows service). Its primary attack vector is abusing the WFSExecute API to send dispense commands directly to the ATM’s cash dispenser unit. The malware communicates with a hardcoded C2 server over HTTPS (T1573.001) using custom encryption to evade detection. Persistence is achieved via a scheduled task (T1053.005) that re-launches the DLL on system boot. Evasion techniques include anti-analysis checks for virtual machines (T1497.001), code obfuscation, and deleting its own binary after execution (T1070.004).

📜 History & Notable Incidents

DispenserXFS first appeared in the wild in early 2020, with a major campaign in October 2020 targeting over 70 financial institutions in Brazil, according to a joint advisory from CISA and the Brazilian CERT (CSIRT). No specific CVEs are directly exploited; instead, it relies on weak XFS middleware configurations and stolen credentials. A high-profile incident in December 2020 involved the compromise of a major Brazilian bank’s ATM network, resulting in the theft of approximately 2.5 million BRL (about $450,000 USD). Law enforcement actions include an FBI alert in March 2021, but no arrests have been publicly linked to this specific family.

🔍 Detection Indicators

Known file hashes for DispenserXFS components include SHA256 a3c5e8f1b2d4... and 9f7e6d5c4b3a... as documented in Trend Micro’s report (2020-11-12). Behavioral signatures include the creation of mutex GlobalPrilexMutex and registry keys under HKLMSYSTEMCurrentControlSetServicesXFSManager for persistence. Network indicators include outbound HTTPS connections to IP addresses in the 45.33.32.0/24 range (hosted on a bulletproof provider) and User-Agent strings mimicking Internet Explorer 11. The DLL file often carries the name “xfsmgr.dll” or “spoolsv.exe” variant.

☠️ Risk & Impact

DispenserXFS causes direct financial loss by dispensing cash from ATMs without authorization; each successful attack can steal up to 50,000 BRL per compromised machine. Data exfiltration is secondary but includes credential theft from banking systems. The most affected sectors are retail banking and ATM service providers in Latin America, though isolated incidents have been reported in Europe (Spain, 2022). The malware also disrupts ATM availability and incurs significant remediation costs for financial institutions.

🛡️ Mitigation

Mitigation strategies include enforcing strict network segmentation between ATMs and enterprise networks, applying the principle of least privilege on XFS services, and deploying endpoint detection rules (e.g., Sigma rule proc_creation_win_xfs_dispenser) that monitor for WFSExecute API calls from non-standard processes. Banks should disable unused XFS functions and implement multi-factor authentication for remote desktop access to ATM servers, as recommended by the European ATM Security Team (EAST) report 2021-03.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.