An old friend in the ATM malware space is back in town, and nowwith some renewed advanced features. Ploutus, one of the most sophisticated ATM malware families, was first discovered in the wild in Mexico in 2013. Designed for ATM jackpotting, that is, a technique used to steal huge amounts of money in cash from an ATM without having to use a credit or debit card, Ploutus has been widely used in the past few years, targeting NCR ATMs.
A new variant of Ploutus, dubbed Ploutus-D, has been recently discovered by researchers of FireEye. Although the modus operandi stays the same as his predecessors (see our blog post), the main novelty of Ploutus-Dis the fact that it now uses components of KAL’s Kalignite multivendor ATM software, that runs on 40 different ATM vendors. The Kalignite’s components allow Plotus-D to abuse the XFS layer to gain illegitimate full control of the ATM hardware devices like dispenser, card reader and pinpad. So far, malware samples are seen to target Diebold ATMs, but this new technology would allow the malware to easily broaden the scope to target multiple ATM vendors in the near future.
Cybercriminals might have got access to KAL software by stealing physical ATMs from the banks (a criminal tactic widely used in LATAM), or even by buying them from authorized resellers.
Some other new features introduced n Ploutus-D are a renewed GUI, stronger obfuscation and a new packaging with a Launcher that attempts to identify and kill security solutions.
Ploutus-D is just another example that ATM malware is a hot topic and a big concern nowadays for the banking industry, with the number of attacks growing rapidly and targeting all countries and regions.
ATM Jackpotting using PLOUTUS-D Malware
Ploutus-D allows an attacker to instruct the ATM to dispense money without the need for a credit or debit card.
Ploutus-D requires physical access to the ATM to perform the infection and control the malware, and makes use of multivendor Kalignite’s software components to gain access to the cash dispenser and pinpad through the standard XFS layer.
This is how the PLOUTUS-D ATM Jackpotting attack works:
- Criminals gain physical access to ATM’s core CPU by means of breaking the top-box or using front-cover keys.
- Once physical access is gained they leverage access to the USB ports or CDROM drive to infect the ATM with the malware. They also connect a standard keyboard to be able to operate it.
- Ploutus-D contains an executable (AgilisConfigurationUtility.exe) and a Launcher (Diebold.exe). The executable can run as a standalone application or as a service installed by the Launcher, and will be controlled from the keyboard.
- PLOUTUS-D runs in the background waiting for a combination of keystrokes to activate and take control of the ATM. It then displays a custom GUI asking for an authorization code, to guarantee control of the mule.
- If authorization is granted, PLOUTUS-D displays details of how much money is available on each cash cassette and uses Kalignite’s XFS components to interact with the ATM dispenser, allowing the cybercriminal to issue multiple dispensing commands to empty the cash.
- Activation and dispensing codes can be sent to PLOUTUS-D from the keyboard or from the ATM pinpad.
- Finally, after the “cash-out” is completed, PLOUTUS-D provides with a cleanup mechanism to remove any traces of the attack.
Security Measures against PLOUTUS-D ATM Malware
Malware attacks are one of the biggest concerns in ATM fraud. Every ATM is exposed to malware attacks and therefore, the application of robust and efficient security countermeasures becomes a basic and non-negotiable necessity.
In the case of the PLOUTUS-D, the attack could be aborted in the infection phase by blocking external USB or keyboard devices (HW Protection), and encrypting the hard disk (Full Disk Encryption) to avoid its manipulation from outside the operating system.
Even if the ATM would have been infected with PLOUTUS-D, the attack could still be blocked by using Application Whitelisting, a protection layer that would not allow to run the Launcher (Diebold.exe) nor the malware executable (AgilisConfigurationUtility.exe).
Furthermore, it is critical to stay vigilant and continuously monitor the ATM network for suspicious activities like ATM disconnections or reboots, as well as having the ability to react quickly and remotely to be able to identify and clean the infected ATMs.
S21sec develops solutions adapted to the needs of the banking industry, like its product Lookwise Device Manager, designed to manage the security of ATM networks. S21sec also provides specialized and advanced security services to fight fraud in financial organizations.
We are members and sponsors of the main ATM industry associations, like ATMIA and ATEFI.
For further information please contact us.
Juan Ramón Aramendía
Product Manager Lookwise