Understanding the Threat
Co-Founder @ Cysinfo (https://cysinfo.com)
Researcher @ Netskope
The Content, Demonstration, Source Code and
Programs presented here is “AS IS” without any
warranty or conditions of any kind. Also the views/
ideas/knowledge expressed here are solely of the
author’s only and nothing to do with the company or the
organisation in which the author is currently working.
However in no circumstances neither the speaker nor
Cysinfo is responsible for any damage or loss caused
due to use or misuse of the information presented here.
• ATM (Automated Teller Machine)
• As per ATM Industry Association (ATMIA) there are around 3 Million ATMs installed
• Majority of the ATMs use windows operating system.
• WOSA/XFS or CEN XFS is the software standard used by ATM platforms for ATM device
• XFS subsystem basically provides the common API to access and manipulate the ATM
devices from different vendors.
• Leading ATM vendors:
XFS (eXtensions for Financial
*pic: CEN/XFS Speciﬁcations
• Application uses XFS APIs to communicate with
• APIs can be called synchronously or
• XSF manager translates the APIs to SPIs
• APIs starts with WFS*
• Example: WFSOpen, WFSExecute, WFSGetInfo etc.
• XFS manager uses conﬁguration information to route APIs to
• Conﬁguration information is stored in windows registry hives.
• PC dependent information is stored under
• User dependent information is stored under:
• .Default or user id.
Conﬁg. Info. cont..
• PC dependant information.
• XFS_Manager: trace ﬁle, share ﬁle information etc.
• Service_Provider: XFS compliant service provider - dll name, version, vendor name
• Physical_service: physical attachments conﬁguration by the solution providers.
Conﬁg. Info. cont..
• User dependent conﬁgs
• Logical services can provide one or more physical services, for example cash dispenser and coin dispenser can be the
part of one logical service.
• logical services: service class, service provider (service provider key name in service providers)
*pic: CEN/XFS speciﬁcations
Important XFS APIs
• WFSStartUp - Initiate a connection between an application and the XFS
• WFSOpen - Open a session between an application and a service provider
• WFSRegister - Enable monitoring of a class of events by an application
• WFSExecute - Send service-speciﬁc commands to a service provider
• WFSGetInfo - Retrieve service-speciﬁc information from a service provider
• Pretty much all of the APIs can be called Asynchronously except few (eg:
• Async - WFSAsyncExecute, WFSAsyncOpen, WFSAsyncRegister etc.
• Application must perform WFSOpen for each logical service.
• RIPPER ATM Malware
• Linked with Bt12 million hack
• Targets Major ATM manufactures (NCR, Diebold,
• Reads both magnetic stripe and EMV chip data.
• Cash dispenser functionalities
• Lets jump on to the malware code analysis!