A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #22569  by id_grinder
 Wed Mar 26, 2014 11:13 am
Well, there are some "commercial" and security issues involved in this ploutus campaign.
First there is the real threat.
I had the chance to analyse the malware so kindly provided here and it is a valid threat.
It is engineered by someone with deep knowledge of ATM functionality and exploits some features found in many ATM terminals in existence right now.
However, being a POI ( point of interaction) attack, it is relatively hard to scale since it requires phisycal access to the machine and PC cage.
Processors and providers and private owners are at risk if they do not have alarm systems installed on their ATM's.
Locking down BIOS is a good option but if the attacker has enough time he can open the PC cage and clear the BIOS NVRAM.
In some situations, the USB printer port was used to gain access to the PC by drilling holes in a predetermined area of the ATM fascia and plugging in a USB stick followed by a power cycle of the ATM.
In all presented and confirmed cases, the malware was delivered via a bootable disk to bypass some of the security software installed on the atm HDD since these are not active in offline mode.
This feature again prooves the knowledge in ATM systems and functionality by the malware creator.
Another way of installing the malware is to use technicians that service the machines.
There are several reports where the technicians were either bribed or threatened and forced to install the malware on the ATMs.
Another side of this is the "commercial" side which is much more interesting.
Now over 80% of the ATM's currently running in the world are running a version of windows.
Some of them are however unaffected by Ploutus(they run windows CE) but the rest of them are susceptible to this threat.
Now there are several interests in here.
New software licenses (XP ends support in April), new hardware( since w7 has a new driver model and the PC's in existence on ATM's are several years old, there is no chance in finding suitable drivers for more than 50% of the ATM fleet in existence, new security software and ATM application software.
One of the issues in ATM industry is the resilience of ATM network owners to changes.
Not because they would not welcome the change, But because it costs a big amount of money in new hardware( usualy the price of an ATM PC is twice or even three times more than an off the shelf PC ) and the entire software stack installed has to undergo a long line of tests and certifications that cost another truckload of money.
I personally believe that the current "plotus" threat, aside from the fact that is a security breach that has to be adressed, it is used by certain companies to push ATM owners into the costly upgrades they have been avoiding so far.
Again from the point of view of scale, ploutus is a single point infection and it cannot propagate itself like other malicious software due to the nature of the ATM networks and the restrictions imposed in them.
Compared to phisycal attacks, i would put ploutus on the same line if not less than attacks by explosives or gas.
And for these kinds of attacks, the ATM owners are already covered.
So ploutus is not as much a threat.
It is used as a way of pushing sales.
 #24440  by writersumit
 Thu Nov 27, 2014 6:27 am
Many thanks for this informative thread and the share. I'm now trying to understand ploutus. I read that the newer version gets installed from mobile phone via a text message. Have to check all that. Thanks again.
 #29995  by Xylitol
 Thu Feb 16, 2017 5:27 pm
New Variant of Ploutus ATM Malware Observed in the Wild in Latin America ~ https://www.fireeye.com/blog/threat-res ... riant.html

Diebold.exe - https://www.virustotal.com/en/file/04db ... 487265583/
AgilisConfigurationUtility.exe - https://www.virustotal.com/en/file/aee9 ... 487265968/
Attachments
infected
(311.63 KiB) Downloaded 94 times