Mariachis and jackpotting: ATM malware from Latin America

Thursday 5 October 12:00 - 12:30, Green room

Thiago Marques (Kaspersky Lab)
Fabio Assolini (Kaspersky Lab)

Of all the forms of attack against financial institutions in the world, the ones that are most likely to combine traditional crime and cybercrime are those against ATMs. The criminals have one goal in mind: jackpotting.

If there is one region in the world where these attacks have achieved highly professional levels, it is Latin America. Attacks against ATMs quickly evolved from using bombs and dynamite to using malware, starting with Ploutus and Green Dispenser and now the newest ATM-focused threats, Prilex and Ice5. Latin American crooks have been working together closely, and have attempted to steal a lot of money directly from ATMs, with relative success.

ATM attackers have developed a number of tools and techniques that are unique to this region, as well as importing malware from Eastern Europe and creating their own local solutions, deploying them on a large scale using USB sticks, CDs, corrupted employees, black boxes and other very creative methods. A combination of factors, including the use of obsolete and unsupported operating systems and development platforms, has enabled the creation of malicious code in a simple way as .NET, without requiring a high level of technical skill. This scenario has favoured the development of malware that is very effective in the region.

We are facing a rising tide of threats against ATMs that have been improved technically and operationally. This is a great challenge for financial institutions and security professionals in the region - attacks on such devices have already generated large losses for financial institutions. The question here is: what, and when will be the next big hit? Why steal information to monetize when it is easier to milk cash directly from the bank? Attacks in the Carbanak style against banks in Latin America allow crooks to access the banks' networks directly, with no intermediate. In this presentation we will show detailed operational details about how these regional attacks against financial institutions have created a unique situation in Latin America.



Thiago Marques

Thiago Marques joined Kaspersky Lab's Global Research and Analysis Team in November 2015 as a security analyst for Brazil.

His main responsibilities are the analysis of domestic malicious code through advanced reverse engineering and the investigation of local malware.

Thiago brings eight years of experience in the reverse engineering of malware. He previously worked as a senior researcher at a national security company in Brazil, analysing threats to the Windows and Android platforms and managing the malware lab. He also worked at Gas Technology, where he used reverse engineering to map malicious activities and support security product development.

Thiago Marques graduated with a B.S. in computer science from the Center Barra Mansa University in Rio de Janeiro. He has taught reverse engineering of malware for financial institutions, police departments, the army, navy and private companies at Escola Superior de Redes for six years. Additionally, in 2012, Thiago trained the Hong Kong police department in cybersecurity.




Fabio Assolini

Fabio Assolini joined Kaspersky Lab's Global Research and Analysis Team (GReAT) in July 2009 to primarily focus on one of the most dynamic countries in Latin America: Brazil. Fabio's responsibilities include the analysis of virus, cyber attacks, banking trojans and other types of malware that originate from Brazil and the rest of the region. In particular, he focuses on the research and detection of banking trojans. In November 2012, he was promoted to Senior Security Researcher.

Since 2006, Fabio has been a voluntary member of the security community Linha Defensiva (Defensive Line), a non-government organization. In addition, he is a member of the Alliance of Security Analysis Professionals (ASAP), a network of NGOs, professionals and individuals dedicated to providing security-related support to end-users. Fabio has more than five years of experience as a malware analyst and has a university degree in computer science.







Other VB2017 papers

Keynote address: Inside Cloudbleed

John Graham-Cumming (Cloudflare)

In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…

Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…

Mariachis and jackpotting: ATM malware from Latin America

Thiago Marques (Kaspersky Lab)

Fabio Assolini (Kaspersky Lab)

Of all the forms of attack against financial institutions in the world, the ones that are most likely to combine traditional…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.