Backdoor.Ploutus is malware transferred to ATMs. The malware was originally discovered by Symantec on September 4, 2013. At the time the malware was known to be isolated in Mexico. New evidence suggests the malware is on the move.
The original source code uses Spanish for function names along with bad English grammar. This would indicate the malware in all likelihood was written by Spanish speaking criminals. Recently an English translation Backdoor.Ploutus was discovered on a stronger platform. This indicates the criminals behind Backdoor.Ploutus believe the same ATM software can be exploited in other countries.
To infect the ATM requires physical access to the machine. A a new boot disk used to transfer Backdoor.Ploutus must be inserted in the CD-ROM drive. The malware installs an interface used to interact with the ATM software. This enables the criminals to not only withdraw all of the money contained in the ATM’s cassettes, but to also record all key strokes. Thus allowing access to customers’ data.
Symantec was able to determine from the code of Backdoor.Ploutus that the malware will identify the dispenser device in the ATM. After which it determines the number of cassettes per dispenser. The malware calculates how many bills to dispense. Then repeats the cycle for all cassettes in the ATM.
Backdoor.Ploutus executes these activities
- Randomly generates number for the compromised ATM using day and month at the time of infection.
- Sets a timer to dispense money, but only during the first 24 hours.
- Dispense specific amounts of money requested by the criminals.
- Reset the dispense time period.
Symantec says the list of commands mentioned above must be executed in order, since it must use a non-expired activated ATM ID to dispense the cash.
Through an evaluation of the code it is determined the the following activities can be performed using the ATM keypad:
- 12340000: Tests if the keyboard is receiving commands.
- 12343570: Generate ATM ID, which is stored in the DATAA entry in the config.ini file.
- 12343571XXXXXXXX: generates an activation code based on an encoded ATM ID and the current date. This value is stored in the DATAC entry in the config.ini file. The eight bytes read in must be a valid encoded ATM ID generated by a function called CrypTrack(). A valid ATM activation code must be obtained in order for the ATM to dispense cash. Generate timespan: Sets a timer to dispense money, the value will be stored in the DATAB entry in the config.ini file.
- 12343572XX: Commands the ATM to dispense money. The removed digits represent the number of bills to dispense.
By using an external keyboard you can interact with Backdoor.Ploutus GUI and execute the following commands:.
- F8 = This will display the Trojan windows on the main screen of the ATM, so criminals can send commands. Once the Trojan window is visible you can perform the following from the keyboard:
- F1 = Generate ATM ID
- F2 = Activate ATM ID
- F3 = Dispense
- F4 = Disable Trojan Window
- F5 = KeyControlUp
- F6 = KeyControlDown
- F7 = KeyControlNext
- F8 = KeyControlBack
With technology being used in almost every part of security, bank robbers now need skilled IT practitioners as part of their crew if they want to get away with a bank heist. But do not expect to see these employers posting on Dice or Monster.