"Trojan.Skimer.18 is by no means the first backdoor to infect ATM software, but it is the first to target devices so common throughout the world," the researchers explained its importance.
The Trojan comes in the form of a dynamic link library (DLL) and gets loaded by an infected application. Once having gained a foothold on the machine, it immediately creates a log file that will store the stolen information - Track 2 data (card / account number, expiry date, service code) and PIN codes.
"It is noteworthy that in order to maintain confidentiality, ATM manufacturers employ a special technology that facilitates the encrypted transmission of PIN codes entered into ATMs, and the encryption key is regularly updated from the bank's server," they pointed out, but added that Trojan.Skimer.18 easily bypasses this protection and uses the ATM's software to decrypt PIN codes.
The criminals control the malware via specially designed master cards.
Once inserted into the ATM's card slot, these cards make a Trojan dialogue box pop up and allow criminals to use the ATMs keypad to interact with the malware.
If directed to do so, the Trojan can delete itself or the log file from an infected ATM, restart the machine or change its operation mode, and even update itself by using an app from the master card's chip. The master cards can also "download" the already stolen info after first compressing the file.