Ploutus is one of the sophisticated ATM malware that was first discovered in Mexico back in 2013. The threat allows crooks to steal cash from ATMs using either an external keyboard attached to the machine or by sending it SMS messages.
Experts at FireEye Labs have recently discovered a new version of the Ploutus ATM malware, dubbed Ploutus-D, that works the KAL’s Kalignite multivendor ATM platform.
The experts observed the Ploutus-D in attacks against ATM of the vendor Diebold, but the most worrisome aspect of the story is that minor changes to the malware code could allow Ploutus-D to target a wide range of ATM vendors in 80 countries.
Below the improved introduced in the Ploutus-D
While similarities between Ploutus and Ploutus-D are:
The technical analysis revealed that developers improved obfuscation of the code by switching from .NET Confuser to Reactor.
The malware will add itself to the “Userinit” registry key to gain persistence, the key is located at:
The attacker must interact with the Launcher by connecting a keyboard to the ATM USB or PS/2 port as illustrated in the following picture.
“Once the Launcher has been installed in the ATM, it will perform keyboard hooking in order to read the instructions from the attackers via the external keyboard. A combination of “F” keys will be used to request the action to execute” states the analysis.
The Launcher dropped legitimate files into the system, such as the KAL ATM, along with Ploutus-D. This action makes sure that all the software and versions needed to properly run the malware are present in the same folder to avoid any dependency issues.
The Ploutus-D could allow crooks to steal thousands of dollars in minutes reducing the risk to be caught while stealing the money under the CCTV.
“Once deployed to an ATM, Ploutus-D makes it possible for a money mule to obtain thousands of dollars in minutes.” states the analysis published by FireEye. “A money mule must have a master key to open the top portion of the ATM (or be able to pick it), a physical keyboard to connect to the machine, and an activation code (provided by the boss in charge of the operation) in order to dispense money from the ATM. While there are some risks of the money mule being caught by cameras, the speed in which the operation is carried out minimizes the mule’s risk.”
In order to install the malware attackers likely have access to the targeted ATM software. The experts also speculate the crooks can buy physical ATMs from authorized resellers, which come preloaded with vendor software, or in the worst scenario they could steal the ATMs directly from the bank.
The analysis includes the main differences with previous versions and Indicators of Compromise (IOC) to use for the identification of the threat.
(Security Affairs – Ploutus-D, ATM hacking)