CONTINUE TO SITE »
or wait 15 seconds

Blog

No rocket science required: 3 ways ATM deployers can defeat Ploutus-D malware

Any one of three commonsense safeguards can immunize an ATM against Ploutus-D. And one more precautionary measure can make it far more difficult for criminals to program ATM malware in the first place.

January 19, 2017 by Aravinda Korala — CEO, KAL

On Jan. 11, the U.S. security firm FireEye Inc. published a blog post about new malware they named "Ploutus-D" and described as "one of the most advanced ATM malware families we've seen in the last few years."

Because it uses some components of the KAL software platform and targets ATMs, this malware is of significant interest to KAL customers — and to all in the ATM industry.

This article outlines KAL's understanding of the malware and our advice to ATM deployers. We would like to thank FireEye for providing us with advance notice of their findings prior to publishing the blog post.

Dispensing cash

Ploutus-D is defined by two characteristics:

  1. it is able to dispense cash from an XFS-compliant ATM cash dispenser; and
  2. it is able to control when and how much cash is dispensed, according to remote instructions from a mastermind.

ATM industry members will be aware of the XFS standard and KAL's implementation of the Kalignite platform. Ploutus-D uses KAL software components to implement the cash dispense function via the XFS service provider of the dispenser.

FireEye postulates that KAL software components were obtained from a stolen ATM. In some countries, ATMs are stolen not only for the cash, but also for the purpose of analyzing and harvesting software components.

Controlling the dispense

Sophisticated code in the Ploutus-D malware controls the ATM cash dispenser so that cash collection by a money mule occurs under the remote control of a mastermind. This ensures that the money mule will not keep the money, but will deliver it to the mastermind before returning to the affected ATM to collect the next batch of cash.

This type of control over the dispenser requires connection of a keyboard or phone to the ATM. The mastermind uses the connected device to enable and disable dispensing and to control dispensing times (thus ensuring that the money is dispensed to a mule rather than an unsuspecting passerby) and amounts (no doubt determined by the mule's own underworld credit rating).

Compromising the ATM

One important aspect of Ploutus-D not addressed by FireEye is how it is initially installed on the ATM. It appears to KAL that the malware can be installed only on ATMs that do not have security protection — or whose security protection has not been enabled.

In order for the malware to be successfully introduced and operated, all of the following are required:

  1. the criminal must have physical access to the ATM and its PC core. The malware requires a USB port for upload and a USB or keyboard port for control;
  2. the malware must be installed within the ATM runtime environment, meaning that USB ports must be unlocked to accept mass storage devices. (Alternatively the malware might be introduced via a sophisticated network attack, but there's no evidence of this in Ploutus-D attacks to date); and
  3. the malware must install itself and run on the ATM. 

To prevent the malware from being successfully introduced and operated, just one of the following is required:

  1. a physically secured PC core. The motherboard, USB ports and keyboard ports should be protected from easy access — most ATM cabinets are equipped with a lock for this purpose;
  2. USB mass-storage lockdown to prevent the insertion and use of unidentified storage devices; and
  3. software whitelisting to ensure that only authorized software will be allowed to run on the ATM.

And we would add one further measure: whole disk encryption for hard disks.

The reason that malware like Ploutus-D can exist at all is because hard disks can be stolen and legitimate software misused. Whole disk encryption makes this impossible.

Advice to ATM deployers

Ploutus-D threatens all ATM deployers, not just KAL customers. As the FireEye blog explained, "legitimate KAL ATM software is dropped into the system along with Ploutus-D … " This means that all XFS-compliant ATMs are at risk from Ploutus-D and should be protected as described above.

Advice to KAL customers

It is essential that KAL customers enable the Kalignite Security Lockdown on all ATMs. This includes all of the features above as well as others that help to block other types of malware attacks. Contact KAL for more information.

photo istock

Included In This Story

KAL ATM Software

KAL is a world-leading provider of multivendor ATM platform, application and management software, specializing in solutions for bank ATMs, self-service kiosks, and bank branch networks.

Request Info
Learn More

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf
Recent Posts
OKI partners with Lip Data Systems to produce ATMs for Indian banks
Seven Bank to install 16K ATMs in FamilyMart locations
Bank of America announces AI assistant for employees
Visa integrates stablecoin prefunding for Visa Direct
Kinective improves cash ecosystem through ESQ acquisition


©2025 Networld Media Group, LLC. All rights reserved.
b'S1-NEW'