Goal: Analyze the internals of the prolific Cutlet ATM malware.
Sample: fac356509a156a8f11ce69f149198108 
The blog outline is as follows:
I. Cutlet ATM Malware Background
II. Method of Operation
III. Threat Scope
IV. Cutlet ATM Malware Analysis
A. “start cooking” and “CHECK HEAT” functions
B. Cutlet’s CSCWCNG API calls to dispense and transport cash
V. Possible Mitigation
V. YARA RULE
This Cutlet malware became one of the most widely used malware targeting Automated Teller Machines (ATMs). The ATM malware is available on the underground and leveraged by multiple actors in numerous ATM jackpotting heists. The malware targets one ATM vendor only, which is Diebold Nixdorf, formerly known as Wincor Nixdorf.
II. Method of Operation
The Cutlet malware is to be installed into individual ATMs, designed to make targeted machines dispense bills automatically via emptying cash-carrying cassettes. Typically, the ATM malware operation requires two individuals to be involved: one with the direct physical access to the ATM device connected to its backend USB port via a controlled PC; another one - remotely connected and able to release the key to dispense the cash to the first individual. By and large, the Cutlet malware, written in Borland Delphi, demonstrates its developer familiarity with the ATM-specific model proprietary API calls.
III. Threat Scope
Alongside with the infamous Tyupkin, Skimer, and Ripper ATM malware, the Cutlet ATM malware is a formidable threat on the ATM malware landscape. The surfaced reports generated a significant amount of attention to the malware from the industry(1)(2) and has sparked interest within the cybercriminal underground.
IV. Cutlet ATM Malware Analysis (version 1.0 F)
A. “start cooking” and “CHECK HEAT” functions
Essentially, while heavily packed, the core Cutlet ATM malware is rather trivial and targets only ATM manufacturer. The variant accepts the integer input from 1-9, which corresponds to ATM cassette slot number from 1-9.
<cassette slot number (integer) x 50 “CUTLETS” of banknotes count 60>
“start cooking!” -> Dispense 50 “CUTLETS” of banknotes count 60
"CHECK HEAT" -> Dispense 1 “CUTLET”
“Reset” -> Reset the cash dispensing process
"Stop!" -> Terminates the cash “cooking” process
The malware operates leveraging the Nixdorf proprietary CSCWCNG.DLL API calls to manipulate the machine as follows:
CscCngOpen -> Connect to the ATM cashout module called “CNG” and open the device
CscCngDispense -> Dispense cash function to tray
CscCngTransport -> Transport cash to the collection for pickup
Monitoring, and reviewing any third-party applications that leverage the CSCWCNG API calls might assist with mitigating exposure to the Cutlet malware once it is already installed. It might be a good idea to whitelist only necessary applications to allow them to leverage these API calls.
VI. YARA RULE
rule crime_win32_atm_cutlet_unpacked_in_memory {
meta:
description = “Detects Cutlet ATM malware”
author = “@VK_Intel”
reference = “Detects the Cutlet ATM malware”
date = “2017-12-26”
hash = “fac356509a156a8f11ce69f149198108”
strings:
// DIEBOLD NIXDORF DLL ATM LIBRARY
$dll = “CSCWCNG.dll” wide ascii
// DLL PROCEDURES ASSOCIATED WITH CUTLET ATM
$dll_proc1 = “CscCngClose” wide ascii
$dll_proc2 = “CscCngTransport” wide ascii
$dll_proc3 = “CscCngReset” wide ascii
$dll_proc4 = “CscCngDispense” wide ascii
$dll_proc5 = “CscCngOpen” wide ascii
// CUTLET MALWARE STRINGS
$str0 = “CSCCNG” wide ascii
$str1 = “Code:” wide ascii
$str2 = “Delphi” wide ascii
condition:
$dll and 4 of ($dll_proc*) and all of ($str*)
}
Article Link: http://www.vkremez.com/2017/12/lets-learn-cutlet-atm-malware-internals.html