Suceful – Malware that physically steals debit cards

Experts from the FireEye Company have discovered an interesting example of malware that was uploaded on VirusTotal by unknown Russian user. At the moment it is not clear whether the malware is under development or already in use in real life. But it is clear that this malware was developed for ATMs and it has an interesting feature – it can physically block the debit cards inside the ATM device, so the hackers are able to pick up them later.


Skimmers and hidden cameras mounted on ATMs are old news as well as software that can infect ATMs. All of us remember Ploutus or Tyupkin viruses that could be installed on the selected ATM through USB-port or CD-ROM. Regarding this new malware, which received the name Suceful, it is currently unknown how it is distributed. Why it is called Suceful? Because it is the message (misspelled word Successful) that appears in case of successful completion of the operations.


FireEye’s experts have studied Suceful and came to the following conclusions. Malware was created in August 25th, 2015. The time stamp in the malware code shows this date. Suceful is able to steal information from the magnetic stripe and chip of the debit cards (full name of the card owner, the account number, expiration date and the encrypted PIN-code) and almost completely take control over the ATM. Apparently it looks like this malware is aimed at NCR and Diebold ATMs.

Since the malware works with XFS Manager, which is part of WOSA / XFS, malware possibilities extend so far. XFS Manager serves as a link between the application (in this case – malware) and peripherals, which can be a printer, dispenser, card reader and so on. As a result, Suceful is able to disable the sensors of the ATM machine to avoid detection, prevent alarm and even block the debit card in the device.

Experts from FireEye are saying that blocking the debit cards feature is particularly interesting, because hackers can purposely block the card in the ATM and later come back to the device to “harvest”. Due to the fact that Suceful is able to disable ATM’s cameras, hackers will not get caught on the video. While the victim would call the bank and notify that his debit card was blocked inside the ATM, he can lose all of his money.

With all of this I wish you to stay safe and recommend to avoid using ATMs that look suspicious and damaged.

Information added: 09/17/2015 06:05 PM;