In 2013, during the late September the discovery of a new malware family – known as Ploutus – was announced. The malware was designed to attack a specific brand of ATM cash machines that were widely used in Mexico. Since then, the threat has evolve and new variants have been observed in different countries.
Malware setup and activation
NeoPocket was developed in Visual Basic, and however we do not possess the original dropper or the installation media, most likely the infection vector origins from a USB drive and the attacker must have had physical access to the ATM machines. There are other evidences that support the theory of the usage of an external drive, such as that the threat accepts commands from an USB drive and it also always tests if the USB is available on the infected system. It also checks whether it is being launched from the root directory, only in this case it would perform installation operations.
If executed from the root directory of any drive, it popups its installation dialog, requesting an activation code to enter:
The activation code needs to be given as a response to another number (in our picture is 7600519) in order to authorize the installation. The code is generated using the current date as seed:
If the code was correct , the malware verifies the presence of a few file locations that belong to the targeted ATM software:
When all checks are OK, the malware copies itself into the ATM software’s directory and creates the following files:
A registry key is created as well, in order to survive system reboot. The malware also tampers the ATM software’s configuration file, hijacking the default IpHost parameter:
All relevant communication between the ATM machine and the control host is then redirected through the port number 6000, where the threat listens and acts as a malicious proxy.
After a successful installation, it displays a notifying message:
The threat also has a timer function that is called periodically to ensure automatic access to the USB drive by constantly updating the Start value of the registry key SYSTEMCurrentControlSetServicesUSBSTOR
The threat monitors windows captions looking for a specific content:
- Escriba la clave ‘A’
- Escriba la clave ‘B’
- Enter the key ‘A’
- Enter the key ‘B’
This smart move allows the attacker to carry out a Man In The Middle attack.
Here is a table summarizing the files and their purpose relating with the malware’s activity:
Interaction and control
In this fashion, the creation some files with specific names in the root of drive is enough, as the when the malware detects them it will execute a series of default actions. The so called command are the following:
- Physically harden the entire ATM, do not just limit to the cash safety box. The ATM’s computer should be isolated as well, not allowing unauthorized access to its components, ports and slots. Periodically schedule integrity checks, especially after maintenance and routine checks have been performed.
- Consider to install additional surveillance systems like CCTV, or increment the number of them.
- Control USB and CD-ROM access at the BIOS level. Protect the BIOS with password..
- Upgrade from Windows XP to a more recent version of the operating system (or choose an alternate OS), since we all know that support for Windows XP has ended. ATMs running Windows XP Embedded (Toolkit and Runtime) may be an exception to this as there is an extended support for them, however only until 12th of January, 2016.
- Use third party solutions that provide real-time protections, such as Lookwise Device Manager for ATM
Sample MD5: 1a6a240d2d03eb2c66c17a6593d4b6d2
Jozsef Gegeny and Santiago Vicente