Home Malware Programs Trojans Alice

Alice

Posted: December 28, 2016

Threat Metric

Threat Level: 9/10
Infected PCs: 415
First Seen: December 28, 2016
Last Seen: December 7, 2022
OS(es) Affected: Windows

Alice is a Trojan that compromises the cash withdrawal feature of Automated Teller Machines. Con artists may collect bills without any extensive interaction with the rest of the ATM, including its number pad. When they're not able to block and delete Alice through appropriate anti-malware protocols immediately, businesses should be watchful for any physical misuse of the pertinent machines, as well as all compromises of RDP logins.

Alice: a Stripped-Down Financial Wonderland for Con Artists

In their search for the greatest payout for their time, most threat authors target ATMs with similar methodologies involving taking banking card data from users as they interact with the machines. Alice, a new threat also attacking Automated Teller Machines, lacks almost all of the features malware experts see in previous threats of its kind. Alice includes only a single primary function for controlling the ATM: withdrawing physical bills.

Regarding its black market business operations, Alice is a rental to third party con artists who may deploy the Trojan according to their personal preferences throughout the world. Although Alice does include a feature for exploiting Remote Desktop environments, malware experts can confirm no cases of that function in use, possibly due to the high-risk of the attack's interception in mid-operation. Otherwise, they must install Alice via USB or CD drive, and, then, issue commands through a keyboard.

After a basic login check, Alice's local operator can type commands for specifying which bills Alice will force the ATM to eject without needing to insert a debit or credit card. The theft still must obey the forty-bill limit per withdrawal that most ATM brands use.

Keeping Money Where It Belongs

Alice is at least two years old and may owe its previous anonymity to the use of different code-obfuscating strategies from various threat actors. As a study in simplicity, Alice lacks almost all of the features malware experts commonly note in advanced families like Carbanak and bears the closest resemblance to equally-basic programs like Tyupkin and Padpin. However, even with only one system-controlling feature that requires an additional UI device, Alice can potentially empty an entire ATM safe into the hands of entrepreneurial thieves.

The level of physical access needed for installing and commanding Alice is high, and visual observation of the affected machine should identify any attempted attacks immediately. Business workers should note the requirement for keyboards plugged into the Automated Tellers especially, as opposed to the more complex but stealthier number pad-based input methods that sophisticated ATM spyware can use. Alice self-terminates on non-ATM systems (based on a Registry key condition), but anti-malware protection still may delay or prevent Alice attacks on appropriate hardware.

While its scope is extremely narrowly-focused, Alice is an easy way for con artists with little experience to get 'free' money from businesses that don't monitor their banking machines. Investing in a sufficient quantity of employees or camera systems to keep modern-day 'bank heists' from taking place never is a waste of resources.

Related Posts

Loading...