Until now, bank’s clients risked to remain without money on their accounts after their cards were cloned with skimmers installed on ATMs. In other cases, hackers intercepted their authentication credentials using online tools and techniques. Interpol and Kaspersky announced that they discovered a network of criminals who have developed a more advanced method, by installing a backdoor on ATMs. In this way, cyber criminals used ATMs to withdraw money directly from bank accounts.

Interpol and Kaspersky says that the criminals network, operating in Eastern Europe and Russia managed to compromise the security of 50 ATMs so far. They extracted millions of dollars dirrectly from bank accounts. Tyupkin backdoor was discovered after a security audit performed by Kaspersky at the request of a customer, the company having suspicions that this backdoor could be used also in the United States, China and India.

Tyupkin affects ony a few ATM models. The backdoor was created to explore the vulnerabilities of some Windows X86 models manufactured by an unknown manufacturer. The backdoor can’t spread by itself, the camera shootings can prove that Tyupkin was manually installed by some hackers that used a CD. In this way, the cyber criminals gained full access of the ATM.


Once installed, Tyupkin malware uses various techniques to hide it’s presence, the backdoor is active only in a certain time frame. During the period in which the malware is active, the software requires the introduction of a six digit code in order to display the available amount of money. The cyber criminals can extract up to 40 banknotes in a single session directly from bank accounts. Meanwhile, the internet connection is disabled, in this way the hackers can’t be checked by a real-time security investigation.

The first version of the Tyupkin backdoor was compiled in March this year. Cyber criminals developed new versions using more advanced methods to bypass or fool anti-malware systems.

Source – Kaspersky News


Tyupkin Backdoor Infected Countries:


The malware name is: Backdoor.MSIL.Tyupkin (affects ATMs from a major ATM manufacturer running Microsoft Windows 32-bit)

Tool to check for this kind of malware: Virus Total