Pierluigi Paganini January 15, 2017

Security experts from FireEye have spotted a new variant of the infamous Ploutus ATM malware that infected systems in Latin America.

Ploutus is one of the sophisticated ATM malware that was first discovered in Mexico back in 2013. The threat allows crooks to steal cash from ATMs using either an external keyboard attached to the machine or by sending it SMS messages.

Experts at FireEye Labs have recently discovered a new version of the Ploutus ATM malware, dubbed Ploutus-D, that works the KAL’s Kalignite multivendor ATM platform.

The experts observed the Ploutus-D in attacks against ATM of the vendor Diebold, but the most worrisome aspect of the story is that minor changes to the malware code could allow Ploutus-D to target a wide range of ATM vendors in 80 countries.

Below the improved introduced in the Ploutus-D

• It uses the Kalignite multivendor ATM Platform.
• It could run on ATMs running the Windows 10, Windows 8, Windows 7 and XP operating systems.
• It is configured to control Diebold ATMs.
• It has a different GUI interface.
• It comes with a Launcher that attempts to identify and kill security monitoring processes to avoid detection.
• It uses a stronger .NET obfuscator called Reactor.

While similarities between Ploutus and Ploutus-D are:

• The main purpose is to empty the ATM without requiring an ATM card.
• The attacker must interact with the malware using an external keyboard attached to the ATM.
• An activation code is generated by the attacker, which expires after 24 hours.
• Both were created in .NET.
• Can run as Windows Service or standalone application

The technical analysis revealed that developers improved obfuscation of the code by switching from .NET Confuser to Reactor.

The malware will add itself to the “Userinit” registry key to gain persistence, the key is located at:

\HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

The attacker must interact with the Launcher by connecting a keyboard to the ATM USB or PS/2 port as illustrated in the following picture.

“Once the Launcher has been installed in the ATM, it will perform keyboard hooking in order to read the instructions from the attackers via the external keyboard. A combination of “F” keys will be used to request the action to execute” states the analysis.

The Launcher dropped legitimate files into the system, such as the KAL ATM, along with Ploutus-D. This action makes sure that all the software and versions needed to properly run the malware are present in the same folder to avoid any dependency issues.

The Ploutus-D could allow crooks to steal thousands of dollars in minutes reducing the risk to be caught while stealing the money under the CCTV.

“Once deployed to an ATM, Ploutus-D makes it possible for a money mule to obtain thousands of dollars in minutes.” states the analysis published by FireEye. “A money mule must have a master key to open the top portion of the ATM (or be able to pick it), a physical keyboard to connect to the machine, and an activation code (provided by the boss in charge of the operation) in order to dispense money from the ATM. While there are some risks of the money mule being caught by cameras, the speed in which the operation is carried out minimizes the mule’s risk.”

In order to install the malware attackers likely have access to the targeted ATM software. The experts also speculate the crooks can buy physical ATMs from authorized resellers, which come preloaded with vendor software, or in the worst scenario they could steal the ATMs directly from the bank.

The analysis includes the main differences with previous versions and Indicators of Compromise (IOC) to use for the identification of the threat.

Pierluigi Paganini

(Security Affairs – Ploutus-D, ATM hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]