Security experts from Kaspersky Lab have discovered a new piece of malware dubbed WinPot that target ATMs, it could be used by crooks to make the ATMs automatically dispense all cash from their cassettes.
WinPot was first detected in March 2018 when it infected ATMs of a popular vendor.
The malicious code has a user interface that looks like a slot machine, it represents each cassette with a reel numbered 1 to 4. The UI includes a button for each cassette to dispense the cash and information on
The interface has two other buttons, the SCAN and STOP ones. The former allows to rescan the ATM and update the information in the UI, the latter allows to the halt the dispensing in progress.
“The criminals had clearly spent some time on the interface to make it look like that of a slot machine.” reads the analysis published by Kaspersky.
Researchers from Kaspersky Lab discovered multiple WinPot samples over the past year, the experts observed minor changes, such as a different packer or changed time period during which the malware was programmed to work. Like other malware such as the Cutlet Maker, WinPot is offered for sale on the Dark Web, it goes for a price of $500
“One of the sellers offers WinPot v.3 together with a demo video depicting the “new” malware version along with a still unidentified program with the caption “ShowMeMoney”. Its looks and mechanics seem quite similar to those of the Stimulator from the CutletMaker story. ” continues the expert.
Due to its nature, ATM malware will remain the same except for little changes that will allow:
“The preferred way of protecting the ATM from this sort of threat is to have device control and process whitelisting software running on it. The former will block the USB path of implanting the malware directly into the ATM PC, while the latter will prevent