Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

New Ploutus ATM Malware Variant at Large

A new variant of the Ploutus ATM (automated teller machine) malware was recently observed, capable of interacting with KAL’s Kalignite multivendor ATM platform, FireEye security researchers warn.

A new variant of the Ploutus ATM (automated teller machine) malware was recently observed, capable of interacting with KAL’s Kalignite multivendor ATM platform, FireEye security researchers warn.

Dubbed Ploutus-D, the new variant is targeting machines from ATM vendor Diebold, but FireEye says that the list of targets could greatly expand with only a few code changes. The Kalignite Platform runs on 40 different ATM vendors in 80 countries, making the new malware variant a great threat.

First discovered in Mexico in 2013, the malware requires for the attacker to have physical access to the ATM and to connect a keyboard to it. In 2014, researchers discovered that the malware could also be used to withdraw cash using SMS messages.

In the new attack, an attacker or money mule would need to open the top portion of the ATM, connect a keyboard to the machine, then use an activation code (provided by the actor in charge of the operation) to dispense money from the ATM.

“Once deployed to an ATM, Ploutus-D makes it possible for a money mule to obtain thousands of dollars in minutes. While there are some risks of the money mule being caught by cameras, the speed in which the operation is carried out minimizes the mule’s risk,” FireEye security researchers explain.

Ploutus-D can run on ATMs running Windows 10, Windows 8, Windows 7 and XP, comes with a different GUI interface than previous variants, features a “Launcher” meant to identify and kill security monitoring processes to avoid detection, and uses the Reactor .NET obfuscator, which is stronger than the previous tool.

The main purpose of the malware, however, remains the same as with the previous variant: empty the ATM without requiring an ATM card. Just as before, the malware can run as a standalone application or as a Windows service started by a Launcher.

Nonetheless, the component with the capability to dispense money has been changed in the new variant, researchers say. Moreover, the malware authors have put some more effort into obfuscation, to ensure that their code can’t be easily reverse-engineered, as both the Launcher and the malware’s binary are protected with Reactor.

The Launcher, which can receive arguments via command line to install as a service, run the malware, or uninstall, performs an integrity check on itself before execution. The attacker interacts with the Launcher by attaching a keyboard to the ATM USB or PS/2 port. The malware adds itself to the “Userinit” registry key to allow execution after every reboot.

To ensure that all the software and versions needed for the malware to run properly are present on the machine, legitimate KAL ATM software is dropped into the system along with Ploutus-D. This means that the attackers likely have access to the targeted ATM software, either through buying them from authorized resellers, or by stealing the ATMs from banks.

After installation, Ploutus-D checks for the KaligniteAPP mutex and starts running if it does not exist in the system. The malware hooks the keyboard for the attackers to interact with it. The malware’s GUI is enabled by entering a combination of “F” keys, then a valid 8-digit code is required to dispense money. The attacker can also enter the amount to withdraw and the number of cycles to repeat the dispensing operation.

The 8-digit code is calculated based on a unique ID generated per ATM and the current month and day of the attack. These codes come from the actor in charge with the operation and expire after 24 hours. After the code is entered, the dispensing process can be started by pressing “F3” from the external keyboard.

“Kalignite Platform is said to support 40 ATM vendors. Looking at the code to dispense money, the only pieces adjusted to target Diebold are the different registry keys to read the cassette (DBD_AdvFuncDisp) parameters. Since Ploutus-D interacts with the Kalignite Platform, only minor modifications to the Ploutus-D code may be required to target different ATM vendors worldwide,” FireEye says.

Related: New “Alice” Malware Drains All Cash from ATMs

Related: Cybercriminals Developing Biometric Skimmers for ATM Attacks

Related: “GreenDispenser” ATM Malware Allows Attackers to Steal Cash

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.