(Image from Pixabay)

Trend Micro’s security intelligence blog Trend Labs reveals that it found a cybercriminal offering malware that could exploit a vulnerability in bitcoin ATM.

Criminals have been shifting their attention from ransomware to mining malware because cryptocurrencies are fast gaining popularity.

TrendLabs explains that Bitcoin ATM is different from the regular ATMs. One of the most obvious difference is “Bitcoin ATM does not connect to a bank account. It connects to a cryptocurrency exchange, which is a platform for buying and selling cryptocurrencies like bitcoin.”

Customers have digital wallets where they store or keep the bitcoins they purchased. In other words, it’s a repository of their acquired cryptocurrencies that lets them connect to exchanges. Customers use their mobile number and ID cards for user identity verification. To use it they have to input a wallet address or scan a QR code. Here is where cybercriminals found a loophole they can exploit: Wallets are not standardized and are often downloaded from app stores.

An “established and respected” underground user offering Bitcoin ATM malware caught the eye of TrendLabs security researchers.

“The actual listing for the malware contains more details. Buyers receive not just the malware but also a ready-to-use card that comes with EMV and NFC capabilities. According to the listing, the malware exploits a service vulnerability that allows the user to receive bitcoins worth up to 6,750 in U.S. dollars, euros, or pounds. The malware does not come cheap, as it is being sold for US$25,000. The number of reviews (over 100) shows that the seller has earned quite a large amount from various offerings, including this malware,” the researchers write.

Just when banks have added an EMV feature in ATM cards for security, the seller also upgraded his “products” and is also offering malware “that has been updated for EMV standards” for regular ATMs. The seller is generous in his knowledge and explained in a thread how the malware works and “the use of a menu vulnerability to disconnect the machine from the network to disable alarms.”

The seller, according to the observations of Trend Micro researchers, has a specialization in financial-related malware and compromised accounts. “This person is an experienced cybercriminal who seems to be constantly expanding his wares,” writes TrendLabs researchers.

TrendLabs sees that as cryptocurrencies grow, Bitcoin ATM malware grows, too.