Malware researchers from Kaspersky Lab have detected a new piece of malware dubbed WinPot that was designed to target automated teller machines (ATMs).
Security experts from Kaspersky Lab have discovered a new piece of malware dubbed WinPot that target ATMs, it could be used by crooks to make the ATMs automatically dispense all cash from their cassettes.
WinPot was first detected in March 2018 when it infected ATMs of a popular vendor.
The malicious code has a user interface that looks like a slot machine, it represents each cassette with a reel numbered 1 to 4. The UI includes a button for each cassette to dispense the cash and information on bank note value and the number of banknotes inside.
The interface has two other buttons, the SCAN and STOP ones. The former allows to rescan the ATM and update the information in the UI, the latter allows to the halt the dispensing in progress.
“The criminals had clearly spent some time on the interface to make it look like that of a slot machine.”reads the analysis published by Kaspersky.
“Likely as a reference to the popular term ATM-jackpotting, which refers to techniques designed to empty ATMs. In the WinPot case, each cassette has a reel of its own numbered 1 to 4 (4 is the max number of cash-out cassettes in an ATM) and a button labeled SPIN.”
Researchers from Kaspersky Lab discovered multiple WinPot samples over the past year, the experts observed minor changes, such as a different packer or changed time period during which the malware was programmed to work. Like other malware such as the Cutlet Maker, WinPot is offered for sale on the Dark Web, it goes for a price of $500 up to $1000.
“One of the sellers offers WinPot v.3 together with a demo video depicting the “new” malware version along with a still unidentified program with the caption “ShowMeMoney”. Its looks and mechanics seem quite similar to those of the Stimulator from the CutletMaker story. ” continues the expert.
Due to its nature, ATM malware will remain the same except for little changes that will allow:
To trick the ATM security systems (using protectors or other ways to make each new sample unique);
To overcome potential ATM limitations (like maximum notes per dispense);
To find ways to keep the money mules from abusing their malware;
To improve the interface and error-handling routines.
“The preferred way of protecting the ATM from this sort of threat is to have device control and process whitelisting software running on it. The former will block the USB path of implanting the malware directly into the ATM PC, while the latter will prevent execution of unauthorized software on it,” Kaspersky concludes.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.