A new variant of the Ploutus ATM (automated teller machine) malware was recently observed, capable of interacting with KAL’s Kalignite multivendor ATM platform, FireEye security researchers warn.
Dubbed Ploutus-D, the new variant is targeting machines from ATM vendor Diebold, but FireEye says that the list of targets could greatly expand with only a few code changes. The Kalignite Platform runs on 40 different ATM vendors in 80 countries, making the new malware variant a great threat.
First discovered in Mexico in 2013, the malware requires for the attacker to have physical access to the ATM and to connect a keyboard to it. In 2014, researchers discovered that the malware could also be used to withdraw cash using SMS messages.
In the new attack, an attacker or money mule would need to open the top portion of the ATM, connect a keyboard to the machine, then use an activation code (provided by the actor in charge of the operation) to dispense money from the ATM.
“Once deployed to an ATM, Ploutus-D makes it possible for a money mule to obtain thousands of dollars in minutes. While there are some risks of the money mule being caught by cameras, the speed in which the operation is carried out minimizes the mule’s risk,” FireEye security researchers explain.
Ploutus-D can run on ATMs running Windows 10, Windows 8, Windows 7 and XP, comes with a different GUI interface than previous variants, features a "Launcher" meant to identify and kill security monitoring processes to avoid detection, and uses the Reactor .NET obfuscator, which is stronger than the previous tool.
The main purpose of the malware, however, remains the same as with the previous variant: empty the ATM without requiring an ATM card. Just as before, the malware can run as a standalone application or as a Windows service started by a Launcher.
Nonetheless, the component with the capability to dispense money has been changed in the new variant, researchers say. Moreover, the malware authors have put some more effort into obfuscation, to ensure that their code can’t be easily reverse-engineered, as both the Launcher and the malware’s binary are protected with Reactor.
The Launcher, which can receive arguments via command line to install as a service, run the malware, or uninstall, performs an integrity check on itself before execution. The attacker interacts with the Launcher by attaching a keyboard to the ATM USB or PS/2 port. The malware adds itself to the “Userinit” registry key to allow execution after every reboot.
To ensure that all the software and versions needed for the malware to run properly are present on the machine, legitimate KAL ATM software is dropped into the system along with Ploutus-D. This means that the attackers likely have access to the targeted ATM software, either through buying them from authorized resellers, or by stealing the ATMs from banks.
After installation, Ploutus-D checks for the KaligniteAPP mutex and starts running if it does not exist in the system. The malware hooks the keyboard for the attackers to interact with it. The malware’s GUI is enabled by entering a combination of “F” keys, then a valid 8-digit code is required to dispense money. The attacker can also enter the amount to withdraw and the number of cycles to repeat the dispensing operation.
The 8-digit code is calculated based on a unique ID generated per ATM and the current month and day of the attack. These codes come from the actor in charge with the operation and expire after 24 hours. After the code is entered, the dispensing process can be started by pressing “F3” from the external keyboard.
“Kalignite Platform is said to support 40 ATM vendors. Looking at the code to dispense money, the only pieces adjusted to target Diebold are the different registry keys to read the cassette (DBD_AdvFuncDisp) parameters. Since Ploutus-D interacts with the Kalignite Platform, only minor modifications to the Ploutus-D code may be required to target different ATM vendors worldwide,” FireEye says.