Ploutus ATM Malware: Press F3 for Money

Ploutus-D needs crooks to connect a keyboard to ATMs
Ploutus-D needs crooks to connect a keyboard to ATMs (via FireEye)

Security researchers from FireEye have identified a new variant of the Ploutus ATM malware, used for the past few years to make ATMs spew out cash on command.

The Ploutus ATM malware family appeared in 2013 and was one of the first that allowed crooks to connect a keyboard to ATMs and make them spew cash.

In 2014, another Ploutus version grabbed headlines all over the world because it allowed thieves to empty out machines by sending an SMS message to the ATM.

New Ploutus malware version targets Diebold-made ATMs

According to researchers, this new variant was spotted in November 2016, when someone uploaded a copy on the VirusTotal aggregated scanning engine.

This mistake allowed researchers to get their hands on a copy of this new version, which they nicknamed Ploutus-D due to features that allowed it to specifically target Diebold ATMs.

Later analysis revealed that with minor modifications, Ploutus-D could also target the ATMs of other vendors that built their cash dispensers on the Kalignite Platform, currently deployed by 40 different ATM vendors in 80 countries.

A keyboard helps crooks empty out ATMs

Similar to previous variants, crooks deploy Ploutus-D if they are able to access unsecured ATM ports where they connect a keyboard to the ATM’s available ports.

The keyboard allows them access to the ATM’s software. According to experts, Ploutus-D can be used effectively against ATMs running on Windows 10, 8, 7, and XP.

After connecting the keyboard, a command-line interface appears, and thieves can use the keyboard to enter combinations of Fx keys to control the ATM, such as: “F8 F1 F1” or “F8 F4 F5.”

After the crooks decide on the amount of cash they want to steal, they only need to press F3 and collect their money.

Command line interface for Ploutus-D
Command line interface for Ploutus-D (via FireEye)

According to FireEye, to use the malware, crooks need an 8-digit code, valid for only 24 hours.

“This code is provided by the boss in charge of the operation and is calculated based on a unique ID generated per ATM, and the current month and day of the attack,” says Daniel Regalado, FireEye malware analyst.

Security researchers have identified attacks with Ploutus-D malware in Latin America only, but knowing how crooks operate, it’s only a matter of time until this threat makes its way north across the border, in the US and Canada.

Recommended for you

Leave a Reply