News

Ploutus ATM malware is back — and badder than ever

January 17, 2017

Ploutus, the advanced ATM malware that was first discovered in Mexico in 2013, is back in an updated and even more dangerous form, according to FireEye, a computer security firm.

In a new blog, the company said it has discovered a new variant of Ploutus — Ploutus-D — which recently has been used in jackpotting attacks on ATMs in Latin America.

Ploutus-D interacts with the Kalignite multivendor ATM platform developed by KAL — one of several new features identified in the malware. The code is set up to target Diebold ATMs, however, FireEye observed that given its use with Kalignite, it would require only minimal recoding to infect almost any other make of ATM, as well.

As described in the FireEye blog:

Once deployed to an ATM, Ploutus-D makes it possible for a money mule to obtain thousands of dollars in minutes. A money mule must have a master key to open the top portion of the ATM (or be able to pick it), a physical keyboard to connect to the machine, and an activation code (provided by the boss in charge of the operation) in order to dispense money from the ATM. While there are some risks of the money mule being caught by cameras, the speed in which the operation is carried out minimizes the mule’s risk.

FireEye listed a number of "improvements" made to the Ploutus malware to create the more sophisticated Ploutus-D variant:

• it uses the Kalignite multivendor ATM platform;
• it can be used on ATMs running the Windows 7, 8, 10 and XP operating systems;
• it is configured to control Diebold machines;
• it has a different GUI interface;
• it includes a launcher that attempts to identify and kill security monitoring processes to avoid detection; and
• it uses a stronger .NET obfuscator, called Reactor, to disguise itself.

Read the entire FireEye blog including full details about Ploutus-D features, operation and identification.