Pierluigi Paganini February 21, 2019

Malware researchers from Kaspersky Lab have detected a new piece of malware dubbed WinPot that was designed to target automated teller machines (ATMs).

Security experts from Kaspersky Lab have discovered a new piece of malware dubbed WinPot that target ATMs, it could be used by crooks to make the ATMs automatically dispense all cash from their cassettes.

WinPot was first detected in March 2018 when it infected ATMs of a popular vendor.

The malicious code has a user interface that looks like a slot machine, it represents each cassette with a reel numbered 1 to 4. The UI includes a button for each cassette to dispense the cash and information on bank note value and the number of banknotes inside. 

The interface has two other buttons, the SCAN and STOP ones. The former allows to rescan the ATM and update the information in the UI, the latter allows to the halt the dispensing in progress.

“The criminals had clearly spent some time on the interface to make it look like that of a slot machine.” reads the analysis published by Kaspersky.

“Likely as a reference to the popular term ATM-jackpotting, which refers to techniques designed to empty ATMs. In the WinPot case, each cassette has a reel of its own numbered 1 to 4 (4 is the max number of cash-out cassettes in an ATM) and a button labeled SPIN.”

Researchers from Kaspersky Lab discovered multiple WinPot samples over the past year, the experts observed minor changes, such as a different packer or changed time period during which the malware was programmed to work. Like other malware such as the Cutlet Maker, WinPot is offered for sale on the Dark Web, it goes for a price of $500 up to $1000. 

“One of the sellers offers WinPot v.3 together with a demo video depicting the “new” malware version along with a still unidentified program with the caption “ShowMeMoney”. Its looks and mechanics seem quite similar to those of the Stimulator from the CutletMaker story. ” continues the expert.

Due to its nature, ATM malware will remain the same except for little changes that will allow:

• To trick the ATM security systems (using protectors or other ways to make each new sample unique);
• To overcome potential ATM limitations (like maximum notes per dispense);
• To find ways to keep the money mules from abusing their malware;
• To improve the interface and error-handling routines.

“The preferred way of protecting the ATM from this sort of threat is to have device control and process whitelisting software running on it. The former will block the USB path of implanting the malware directly into the ATM PC, while the latter will prevent execution of unauthorized software on it,” Kaspersky concludes. 

Pierluigi Paganini

(SecurityAffairs – POS malware, ATMs.)

[adrotate banner=”5″]

[adrotate banner=”13″]