Kaspersky Labs produced a video showing how the hack was carried out. More details were provided in a blog post.
Once the malware - known as Tyupkin - has been installed, the "mule" sent to collect the cash must enter a code on the machine's key pad.
"Over the last few years, we have observed a major upswing in ATM attacks using skimming devices and malicious software," said Vicente Diaz, principal security researcher at Kaspersky.
"Now we are seeing the natural evolution of this threat with cybercriminals moving up the chain and targeting financial institutions directly."
His demonstration on stage at security conference Black Hat provoked a standing ovation.