Ploutus… Doesn't it sound a little familiar?
Let's have a look…
A sophisticated ATM Malware which was discovered in Mexico back in 2013 named Ploutus. It is one of the most advance ATM malware families we've seen in the last few years. Ploutus enabled criminals to empty ATM's using either an external keyboard attached to the machine or via SMS messaging, a technique which is never been seen before.
Recent identification of this previously unobserved version of Ploutus dubbed Ploutus-D was done by FireEye labs, that interacts with KAL's Kalignite multivendor ATM platform. The samples were identified targeting the ATM vendor Diebold. But the most worrying aspect of the story is that minor changes to the malware code could allow Ploutus-D to target a wide range of ATM vendors in 80 countries.
If it is once deployed to an ATM, it makes it possible for a money mule to obtain thousands of dollars in minutes. A money mule must have a master key to open the top portion of the ATM (or be able to pick it), a physical keyboard to connect to the machine, and an activation code (provided by the boss in charge of the operation) in order to dispense money from the ATM. While there are some risks of the money mule being caught by cameras, the speed in which the operation is carried out minimizes the mule’s risk.
Let's see the improved introduction in the Ploutus-D:
- Uses the Kalignite multivendor ATM Platform
- Configured to control Diebold ATMs
- Could run on ATMs running the Windows 10, Windows 8, Windows 7 & XP OS.
- Has a different GUI interface
- Comes with a Launcher, that attempts to identify and kill security monitoring processes to avoid detection
- Uses a stronger .NET obfuscator called Reactor
Let's find out the similarities between Ploutus & Ploutus-D:
- Main purpose is to empty the ATM without requiring an ATM card.
- Attacker must interact with the malware using an external keyboard attached to the ATM.
- An activation code is generated by the attacker, which expires after 24 hours.
- Both were created in .NET.
- Can run as Windows Service or standalone application.
The technical analysis revealed that developers improved obfuscation of the code by switching from .NET Confuser to Reactor.
The malware will add itself to the “Userinit” registry key to gain persistence, the key is located at:
\HKLM\Software\Microsoft\Windo ws NT\CurrentVersion\Winlogon\Use rinit
The attacker must interact with the Launcher by connecting a keyboard to the ATM USB or PS/2 port as illustrated in the following picture.
“Once the Launcher has been installed in the ATM, it will perform keyboard hooking in order to read the instructions from the attackers via the external keyboard. A combination of “F” keys will be used to request the action to execute” states the analysis.
The Launcher dropped legitimate files into the system, such as the KAL ATM, along with Ploutus-D. This action makes sure that all the software and versions needed to properly run the malware are present in the same folder to avoid any dependency issues.
In order to install the malware attackers likely have access to the targeted ATM software. The experts also speculate the crooks can buy physical ATMs from authorized resellers, which come preloaded with vendor software, or in the worst scenario they could steal the ATMs directly from the bank.
No comments:
Post a Comment