Ploutus is an ATM Malware discovered in 20131 that targets ATMs manufactured by NCR in Mexico., Since its discovery, the malware has been a nightmare for Latin America banks enabling criminals to steal more than $45 millions dollars.
Ploutus gained a lot of media coverage thanks to its capability to be controlled by SMS messages2. It exhibited other sophistication such as the ability to switch the ATM into supervisor mode in order to dispense cash. The next variant of Ploutus was seen in South America targeting ATMs manufactured by Diebold and hence the name, Ploutus-D3, this new variant was able to control the multi-vendor ATM Software Kalignite (KAL). Around the same time, another variant of Ploutus-D was identified in Mexico, this time controlling Diebold’s Agilis Middleware4. Similar to the previous variants, the attackers demonstrated in-depth knowledge of the internal workings of the ATM Manufacturers’ Middleware. The latest variant offered a new module that allow the attackers to manage ATMs remotely to setup the malware and issue licenses to their customers.
Recently in January 2018, according to journalist Krebs, U.S. Secret service quietly alerted financial institutions that Ploutus-D was discovered jackpotting ATMs in USA5. Analysis of the new variant revealed that it is a modified copy of a previous version targeting Diebold Agilis Middleware4. It however, had important differences:
- The Ploutus-D code was altered by Spanish-speaking programmers
- The Ploutus-D signature was removed and was renamed by the author(s) as “Piolin” (Tweety bird cartoon)
- It comes with an extra layer of obfuscation not seen in previous versions of Ploutus-D
- The code to issue licenses activating the malware was changed suggesting different individuals are overseeing billing operations in USA
This and other evidence documented in the Zingbox paper suggest that the Latin American Gang behind Ploutus is not connected with the recent heists that took place in US.
Finally, a set of recommendations is provided outlining the areas of opportunities where manufacturers and banks can help in mitigating Ploutus ATM Malware which continues to evolve without any signs of slowing down.
The full detailed write-up is available here.