One of the most profitable cyber crimes in recent years is ATM robbery, where the cyber criminals extract cash directly from automated teller machines that have already been infected with malware, causing millions of dollars in loss for the banks worldwide. In Table 1, an overview of the most notable heists is listed to help demonstrate the impact of these malicious activities.
|Country of Heist||Year||Infection vector||Net Loss (USD)||Mastermind Group||Members Nationality|
|Multiple||2012-2013||Bank Network Breach||$45 Million||Unknown||Turkish|
|Mexico||2013-2017||ATM Malware||$450 Million||Ploutus Team||Venezuelan|
|Russia||2015-2016||Spear Phishing||$28 Million||Buhtrap||Russian|
|Japan||2016||Card Cloning||$12.7 Million||Unknown||Japanese|
|Taiwan||2016||Bank Network Breach||$2.5 Million||Unknown||Romanian, Moldovan|
Table 1. Most Notable ATM Heists
An ATM heist is perfectly orchestrated to guarantee success with multiple groups playing different roles as detailed below.
- Mastermind Group: This is the team that develops the ATM malware, and then establishes the license terms and payment options to the local criminal groups interested.
- Local Criminal Groups: These are the consumers of the ATM malware with full knowledge of the country where the heist is to be performed. They oversee installing the malware in the ATMs in one of two ways:
- Hacking into the bank network and from there infecting the ATMs with malware
- Physically opening the target ATM to transfer the malware
- Mules: These are the people hired by the local criminal groups to physically go to the ATM and withdraw the cash. These people can fly to the country where the heist is about to take place, get the cash, and fly out of the country right after.
- Laundering Groups: With the cash in the cyber criminals’ hands, it is important to launder it as soon as possible before it gets confiscated.
By looking at Table 1 above, one group stands to profit the most – the Ploutus Team. With criminal history documented since the end of 2013, this is one of the most active groups with the ability to control ATMs from multiple vendors worldwide representing a big risk to the financial institutions.
In this blog, we will describe the latest piece of malware implemented by the Ploutus Team with its malware variant known as Ploutus-D, where one of the most interesting features allows the attackers to manage the infected ATMs from the Internet and therefore making them operate like an IoT device.
Ploutus Team Evolution
|August 2013||Ploutus is discovered controlling NCR APTRA middleware|
|March 2014||Ploutus adds a component to control NCR ATM via SMS messages|
|October 2016||Ploutus adds support to control multi-vendor KAL’s Kalignite framework via external keyboard|
|January 2017||Ploutus adds module to manage ATM remotely and two new classes to control XFS middleware|
New Ploutus-D Features Overview
- New module that allows Internet access to manage the ATM
- Support to interact with the malware via the ATM pinpad (previously only done via external keyboard)
- New XFS middleware libraries that allow the control of the dispenser and pinpad
Although the Ploutus Team began by targeting Latin American countries, it now runs in multiple ATM vendors making it a worldwide issue and becoming the greatest ATM malware risk. Below is a list of countries that submitted a variant of Ploutus-D to VirusTotal:
- Dominican Republic
- United States
What do those countries have in common? All of them have suffered from ATM heists in the past. By looking at Table 2, a clear picture of the variants and release dates can be observed as well as how the potential countries reacted.
|Country source submitted to VT|
|AgilisConfigurationUtility.exe||e77be161723ab80ed386da3bf61abddc||2016-11-06 05:44:25||Dominican Republic|
|Diebold.exe||328ec445fce0ec1e15972fef9ec4ce38||2016-11-08 20:42:04||Ukraine, Peru|
|Diebold.exe||e5957ccf597223d69d56ff50d810246b||2016-11-12 10:16:18||Peru, Dominican Republic|
|Diebold.exe||c04a7cb926ccbf829d0a36a91ebf91bd||2016-11-16 12:55:56||Ukraine, Taiwan, Peru, Mexico|
|AgilisConfigurationUtility.exe||5af1f92832378772a7e3b07a0cad4fc5||2016-11-18 16:13:41||Ukraine, France, Taiwan, Peru, Germany and Mexico|
Table 2. Ploutus-D Variants Release
Ploutus is installed via physical access to an ATM by following two different approaches:
- Inserting a CD-ROM or USB into the ATMs port to transfer the malware
- Extracting the hard disk from the ATM and mounting it as an external drive to transfer the malware
Once the ATM has been physically accessed, the Ploutus Team likes to drop an installation kit into the victim’s machine consisting of executables and libraries to make sure the malware has everything needed to run independently and without any compatibility issues. By looking at the “Clean” function shown in Figure 1, we can see the files that were transferred to the ATM during malware installation and their destination folder at: “C:\\Diebold\exe\P\.
Figure 1: List of installation Files
Turning an ATM into an IoT Device
A new module of Ploutus-D was discovered in VirusTotal that turned out to be the most interesting one, since it allows the cyber criminals to manage the ATM from the Internet.
The name of the module is “Main.exe” and is run by the Launcher (Diebold.exe, see Figure 2) as part of the installation steps.
Figure 2: Launching Main.exe
Once executed a GUI shown in Figure 3 will be displayed.
Figure 3. Main Interface
As you can infer by looking at the Windows title, it allows the criminals to access the ATM remotely via TeamViewer software. But how is that possible? These automated teller machines do not have Internet access, yet the magic is done by a module that comes embedded in the binary with the name SimpleWifi.dll. The DLL is being extracted and loaded in memory via .NET reflection (see Figure 4).
Figure 4. SimpleWifi DLL Being Loaded
SimpleWifi is an open source WiFi Client that allows a machine to connect to an access point via wireless protocol. This means the ATM must have a wireless card attached to use this tool successfully, another stopper since ATMs do not come with WiFi cards installed. But here is where WiFi dongles come into play – these are small devices that are attached to the USB port by the criminals. Once the dongle is attached, the “Wifi” tab in the menu allows the criminals to connect to an access point, as shown at Figure 5.
Figure 5. WiFi Configuration
Once the ATM is connected to an access point, it can be managed remotely by the cyber criminals from any part of the world! Which means it also becomes a new path into the bank network.
As soon as the ATM is online, the Ploutus GUI starts phoning home (see Figure 6) to the domain name “usbtest.ddns.net” on TCP port 40020 (at the time of this writing the domain is not resolving to any IP).
Figure 6. Resolving Malicious Domain
An infinite loop will start creating new threads to phone home every 5 seconds, always sending the same 102 bytes to the destination. Figure 7 is an example of the traffic seen:
Figure 7. Phone Home Traffic
This callback allows the masterminds behind Ploutus to be notified as soon as a new ATM has been successfully infected.
Why Remote Access to the ATM?
It is all about profit. The Ploutus Team sells one-day licenses (access code to enable Ploutus) to cyber criminals, the criminals steal as much money as they can for that day, and if need to do it again, they need to pay for another license. Interestingly, the licenses are created based on unique attributes of each ATM like the MAC addresses, and therefore, the masterminds need to get access to every compromised ATM (at least one time) to generate the license or give the criminals the chance to do it by themselves, losing control of the licensing scheme.
Apart from that, the criminals can always check the cash balance remaining in the ATM remotely to decide if is time to attack it again or even try to penetrate the bank network from the ATM endpoint if needed.
Interacting via Pinpad with new XFS Middleware Classes
In the previous analysis of Ploutus-D, an external keyboard was needed to interact with the malware, however this version now includes interaction via pinpad which makes it easier for the cyber criminals.
As documented previously, Ploutus-D added support to control the ATM via the multivendor platform Kalignite, but now a new set of classes were created that are not known to belong to a specific vendor which suggests it could be the Ploutus Team’s own implementation to interact with the XFS middleware.
In Figure 8, the new classes axAXFS3Pinpad and axAXFS3CashDispenser1 are being used to interact with Diebold Pinpad (“DBD_EPP4”) and Dispenser (“DBD_AdvFuncDisp”).
Figure 8. Interacting with Diebold Devices via New Classes
Finally, in Figure 9, we can see an extract of code to read digits from the pinpad where interestingly, the Number 9 serves as the “ENTER” key to submit the input.
Figure 9. Reading Data from the Pinpad
One of the major challenges companies are facing regarding IoT devices is the lack of monitoring and protection. It is very common to find these types of devices totally exposed to the Internet allowing attackers a way into the organizations network. ATMs are known to be highly monitored and protected, but as soon as they are turned into IoT devices, the security controls protecting them are nullified, and even worse, they become a gateway into the entire bank network.
The Ploutus Team is stronger than ever with their ability to hack into all major ATM vendors, representing a big risk to Latin America and the rest of the world.
By following well known security best practices, an infection vector is hard to achieve. For ATMs, by locking ports (USB, CD-ROM), protecting the BIOS with a password, and encrypting the hard disk, the current infection vectors would not have succeeded.