Pierluigi Paganini March 04, 2023

Researchers at Metabase Q discovered a new ATM malware, dubbed FiXS, that was employed in attacks against Mexican banks since February 2023.

Researchers at Metabase Q recently spotted a new ATM malware, dubbed FiXS, that is currently targeting Mexican banks. The name comes from the malware’s code name in the binary. 

The experts have yet to determine the initial attack vector, they reported that FiXS utilizes an external keyboard (similar to Ploutus). In Ploutus attacks, threat actors with access to these teller machines physically connects an external keyboard to to the ATM to launch the attack. 

Below is a list of key relevant characteristics of the FiXS ATM malware:

• It instructs the ATM to dispense money 30 minutes after the last ATM reboot
• It is hidden inside another not-malicious-looking program
• It is vendor-agnostic targeting any ATM that supports CEN XFS
• It interacts with the crooks via external keyboard
• It waits for the Cassettes to be loaded to start dispensing
• It contains Russian metadata

The ATM Malware is embedded in a dropper, the experts spotted it due to the presence of XFS related strings like.

XFS (extensions for financial services) provides a client-server architecture for financial applications on the Microsoft Windows platform, especially peripheral devices such as EFTPOS terminals and ATMs which are unique to the financial industry.

“Normally this DLL MSXFS.dll comes with the necessary XFS APIs to control the Dispenser.” reads the analysis published by the experts. “Interestingly, the source locale/language reflected in the resources is Russian (LCID=1049), which suggest the origin of this piece of malware.”

The embedded malware is decoded with XOR instruction, the researchers noticed that the key changes in every loop via decode_XOR_key() function.

The encoded binary is stored in the appended data section, the size of the FiXS malware is only 105 KB. 

The dropper stores the embedded malicious code within a folder with the hardcoded name: “3582-490”, and sets the name equal to the dropper one as conhost.exe. Then the FiXS ATM Malware is launched  via  “ShellExecute” Windows API.

Upon launching the malware, operators can interact with it through the ATM keyboard/touchscreen. Below the list of combination supported by the malware:

M - Show or Hide the Window
A - Get Cash units info
C - Close session with Dispenser and kills the process
B - Dispense money
J - Not validated
P - Not validated

The FiXS malware dispenses money 30 minutes after the last ATM reboot by leveraging the Windows GetTickCount API.

“This means that whoever restarted the ATM last time, and probably the one who installed the malware ( a maintenance engineer, a consultant, etc), the mule will arrive soon after.” continues the report. “In the next figure, the 30 minutes validation can be seen via GetTickCount API, and then the Dispenser is commanded to spit out money via command id 302 equal to WFS_CMD_CDM_DISPENSE.”

The researchers provide Indicators of Compromise (IoCs) to allow defenders at banks and financial institutions to detect the threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ATM malware)