Tyupkin: Malware which is designed for ATM infrastructure.


The Dell Sonicwall Threats Research team observed reports of an ATM bot family named GAV: Tyupkin.A actively spreading in the wild. The Tyupkin is one such example of ATM Malware which is designed for ATM infrastructure.

The malware could steal millions in cash from ATMs around the world without having to use a credit or debit card. Once Tyupkin is installed on an ATM, it allows the criminals to steal huge amounts of money by simply entering a series of codes.

Infection Cycle:

Md5: af945758905e0615a10fe23070998b9b

The Trojan adds the following files to the system:

    C:WINDOWSsystem32ulssm.exe [Executable file ]

    C:xfs_supp.sys [ 5120 KB null File ]

    C:xfstrace.log [Log File]

The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:



The malware needs to interact with ATM through the DLL library msxfs.dll, known as Extension for Financial Services (XFS Manager), on the system. Thats the reason dynamic analysis of such malware cannot be performed on a standard system.

The hackers need to gain physical access to the ATMs, allowing them to insert a Boot CD which installs the malware. The malware then runs in the background in an infinite loop awaiting a command from hackers (only accept commands at specific times such as Sunday and Monday nights)

To activate the malware, a unique combination key based on random numbers is generated, to avoid the possibility of a member of the public accidentally entering a code.

If malware failed to run on the system then it removes all its own credentials from the system and creates a log file such as following:

Here is an example of Log file C:xfstrace.log

Then it sends ping commands such as following:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • Tyupkin.A
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.