An old friend in the ATM malware space is back in town, and nowwith some renewed advanced features. Ploutus, one of the most sophisticated ATM malware families, was first discovered in the wild in Mexico in 2013. Designed for ATM jackpotting, that is, a technique used to steal huge amounts of money in cash from an ATM without having to use a credit or debit card, Ploutus has been widely used in the past few years, targeting NCR ATMs.
A new variant of Ploutus, dubbed Ploutus-D, has been recently discovered by researchers of FireEye. Although the modus operandi stays the same as his predecessors (see our blog post), the main novelty of Ploutus-Dis the fact that it now uses components of KAL’s Kalignite multivendor ATM software, that runs on 40 different ATM vendors. The Kalignite’s components allow Plotus-D to abuse the XFS layer to gain illegitimate full control of the ATM hardware devices like dispenser, card reader and pinpad. So far, malware samples are seen to target Diebold ATMs, but this new technology would allow the malware to easily broaden the scope to target multiple ATM vendors in the near future.
Cybercriminals might have got access to KAL software by stealing physical ATMs from the banks (a criminal tactic widely used in LATAM), or even by buying them from authorized resellers.
Some other new features introduced n Ploutus-D are a renewed GUI, stronger obfuscation and a new packaging with a Launcher that attempts to identify and kill security solutions.
Ploutus-D is just another example that ATM malware is a hot topic and a big concern nowadays for the banking industry, with the number of attacks growing rapidly and targeting all countries and regions.

ATM Jackpotting using PLOUTUS-D Malware

Ploutus-D allows an attacker to instruct the ATM to dispense money without the need for a credit or debit card.
Ploutus-D requires physical access to the ATM to perform the infection and control the malware, and makes use of multivendor Kalignite’s software components to gain access to the cash dispenser and pinpad through the standard XFS layer.
This is how the PLOUTUS-D ATM Jackpotting attack works:

  • Criminals gain physical access to ATM’s core CPU by means of breaking the top-box or using front-cover keys.
  • Once physical access is gained they leverage access to the USB ports or CDROM drive to infect the ATM with the malware. They also connect a standard keyboard to be able to operate it.
  • Ploutus-D contains an executable (AgilisConfigurationUtility.exe) and a Launcher (Diebold.exe). The executable can run as a standalone application or as a service installed by the Launcher, and will be controlled from the keyboard.
  • PLOUTUS-D runs in the background waiting for a combination of keystrokes to activate and take control of the ATM. It then displays a custom GUI asking for an authorization code, to guarantee control of the mule.
  • If authorization is granted, PLOUTUS-D displays details of how much money is available on each cash cassette and uses Kalignite’s XFS components to interact with the ATM dispenser, allowing the cybercriminal to issue multiple dispensing commands to empty the cash.
  • Activation and dispensing codes can be sent to PLOUTUS-D from the keyboard or from the ATM pinpad.
  • Finally, after the “cash-out” is completed, PLOUTUS-D provides with a cleanup mechanism to remove any traces of the attack.


Security Measures against PLOUTUS-D ATM Malware

Malware attacks are one of the biggest concerns in ATM fraud. Every ATM is exposed to malware attacks and therefore, the application of robust and efficient security countermeasures becomes a basic and non-negotiable necessity.
In the case of the PLOUTUS-D, the attack could be aborted in the infection phase by blocking external USB or keyboard devices (HW Protection), and encrypting the hard disk (Full Disk Encryption) to avoid its manipulation from outside the operating system.
Even if the ATM would have been infected with PLOUTUS-D, the attack could still be blocked by using Application Whitelisting, a protection layer that would not allow to run the Launcher (Diebold.exe) nor the malware executable (AgilisConfigurationUtility.exe).
Furthermore, it is critical to stay vigilant and continuously monitor the ATM network for suspicious activities like ATM disconnections or reboots, as well as having the ability to react quickly and remotely to be able to identify and clean the infected ATMs.
S21sec develops solutions adapted to the needs of the banking industry, like its product Lookwise Device Manager, designed to manage the security of ATM networks. S21sec also provides specialized and advanced security services to fight fraud in financial organizations.
We are members and sponsors of the main ATM industry associations, like ATMIA and ATEFI.
For further information please contact us.


Juan Ramón Aramendía

Product Manager Lookwise



  An old friend in the ATM malware space is back in town, and nowwith some renewed advanced features. Ploutus, one of the most sophisticated ATM malware families, was first discovered in the wild in Mexico in 2013. Designed for…

Leer más


ATM malware is clearly a hot topic and a big concern nowadays for the banking industry. Our experience in this field, backed by recent incidents, shows that this rapidly growing threat is severely hitting ATM infrastructures worldwide. A recent report…

Leer más

Reverse engineering Gootkit

Gootkit - in some places also referred to as Xswkit - is a banking malware written almost entirely in javascript. In this blog post we will go through on reverse engineering the malware to an extent where we are able…

Leer más


    Yesterday we saw how Europol published a press release announcing the detention of approximately 700 muleteers all over Europe last February. These are key operations as they directly affect monetizing of fraud and require participation by international banks,…

Leer más

URLZONE reloaded?

S21sec´s ecrime department has detected a "new" banking malware, which appears to be based on the well-know "URLZONE" malware code that was first detected in 2009.  Among the key features of this new malware, we highlight DGA (Domain Generation Algorithm)…

Leer más

Dridex, a year of online fraud

S21sec has played a key role in the effort to uncover the sophisticated Trojan, collaborating with international agencies such as the FBI, NCA, Spanish Guardia Civil and Europol.Dridex malware is a Trojan with multiple functionalities. Its activity is mainly based on…

Leer más

DYRE trojan targets Spain

Although just it has a few months old, the DYRE Trojan (aka Dyreza) is currently the busiest banking malware. Since early this year, the aggressive characteristics incorporated in the binary a fairly proactive gang has been added, working to increase its infrastructure  and monetization capacity. Progress has been noticed…

Leer más

New Ransomware in Mobile environment

It is widely known the new malware trend, which has caused several problems in the last year: the infamous Ransomware (Cryptowall, Cryptolocker and its derivatives). Although we have seen samples in the mobile environment (Koler), it was not common to find…

Leer más

Dridex Learns New Trick: P2P over HTTP

After several months we finally got an answer for the question asked by our friend Roman on this post regarding the infamous Cridex/Feodo/Geodo/Dridex saga. Back then we witnessed the birth of a new Feodo variant baptized as Dridex and just few days ago S21sec's…

Leer más

The real danger of BadUSB

The last BlackHat USA conference presented a hack technique, BadUSB, that has recently gained much attention. Although not completely new, it does pose serious security vulnerability to  USB devices.A BadUSB attack basically involves reprogramming a normal USB device (usually a pen drive…

Leer más