Security analysts have observed a new iteration of the Ploutus ATM malware which is able to interact with the Kalignite ATM platform made by the KAL company.
Ploutus Malware Attacks ATMs In a Second Wave
FireEye security specialists discovered a new iteration of the infamous Ploutus malware that targets ATMs. It is dubbed as Plutus-D as it has been stated that the current wave of attack campaigns target systems manufactured by the Diebold vendor. However this can easily change as the list of targets can be modified using only a few changes to the virus code. The victim Kalignite Platform is one of the market leaders in ATM platforms – it runs on 40 different vendors in 80 countries
The first version of the malware was discovered in 2013 in Mexico and required the attackers to gain physical access to the devices and connect to them using a keyboard. One year later (2014) it was discovered that the ATMs can be made to dispense the withhold cash deposits using SMS messages. The new Ploutus (Ploutus-D version) uses criminals that open the top portions of the ATM machines, connect a keyboard to them and use a special activation code to dispense the money from the drawers. Once the virus is in place it is very easy for the money mules to obtain thousands of dollars as the virus allows the use of malicious codes to force dispense the contents of ATMs.
The virus affects ATM machines running Windows Xp, Windows 7, Windows 8 (and 8.1) and Windows 10. In comparison to the previous version it uses a different GUI interface. It features a Launcher feature which identifies and kills any security monitoring software that are installed on the devices. It also uses the Reactor .NET obfuscator for stealth detection.
The new Ploutus malware can run as a standalone application or as a standalone Windows service initiated by its Launcher. It can receive receive command line arguments that can be used to control it – setting up service installations, uninstallation, integrity checks and various execution-related commands. Interaction is possible by attaching a keyboard to the USB or PS/2 ports of the machines. In addition upon infection the malware adds itself to a registry key group for persistence.
Upon infection it performs a detailed system check which ensures that it can run properly. This is done by dropping legitimate KAL ATM software modules along with the virus. After this the malware hooks to the keyboard and various processes.
The malware’s GUI can be controlled by initiating a specific keyboard combination using the “F” keys and a valid 8-digit code code. The attackers can choose the amount of money and the number of cycles per withdrawal. This special 8-digit activation code is calculated based on the machine’s unique ID and the current date of the attack.