Ploutus ATM Trojan

Do you know what Ploutus is?

If you do not live in Latin America and you are not too much in the cyber security news, you probably have not heard about Ploutus before. This program is a malicious Trojan that attacks automated teller machines (ATMs) and then steals the money that is deposited in the machine. The infection cannot affect personal computers directly, but, in this case, we just wanted to tell you more about different methods that criminals use to get rich. Luckily, when Ploutus cripples an ATM, it cannot steal your money directly because it does not get access to all the credit card data that an ATM might store.

According to the security researchers at FireEye, Ploutus is just one of the many Trojans that have been used lately to target ATMs in Latin America. This type of Trojan was first detected in Mexico in 2013, and it seems that the infection has been evolving since then. The newest type of the Ploutus Trojan (some researchers call it Ploutus-D) appeared in November, 2016, and it seems to be used on various ATMs across Latin America. Most of the samples were detected on the Diebold ATMs, although security experts say that the infection can be modified to infect other types of ATMs, as well.

When we take a closer look at the main principle behind this infection, it becomes obvious why the Trojan infection can be applied in countries where physical security control is slightly weaker. After all, to infect the ATM with this Trojan, the criminal has to connect a keyboard to it. If an ATM is monitored 24/7, it would be hard to do that. Thus, it allows us to assume that criminals exploit a particular loophole in security patterns that enables them to connect to the ATMs and infect them without getting noticed.

When the ATM is infected, the criminals can control it via SMS messages. The hackers can send SMS commands to the ATM that pass through an UDP packet (or a USB port), and then the infection starts working by issuing cash. So, to put it simply, Ploutus tricks the ATM into “thinking” that a custom has given a command to issue some money, but there was no credit or debit card to begin with. The infection simply cracks down the operating system and forces the machine to give away the stored money.

Why the criminals are able to infect ATMs that seemingly have nothing in common with personal computers? The thing is that ATMs also require operating systems to function properly. These particular machines use Windows 10, Windows 8, Windows 7, and Windows XP operating systems, as Ploutus can affect all of them. What’s more, the Trojan tries to avoid getting detected and removed, as the new version uses a strong obfuscator called Reactor. As we have mentioned before, from the customer’s point of view, probably the only good thing is that this program cannot access individual bank accounts. Whatever money it steals from the ATM, it is the bank’s money and not yours.

As far as technical details of this infection are concerned, Ploutus is rather persistent because upon the infection the malware drops a copy of itself in the Userinit registry key. As a result, the program loads automatically every time the machine is rebooted. Also, the way the infection is configured suggests that the criminals have studied the ATM software, and they very likely have a copy in their possession. It is actually possible to buy a physical ATM, and they usually come with the software already, although sometimes the ATMs get stolen from banks, too.

The fact that such Trojan infections exit shows how creative and persistent malware developers are. Also, it proves the point that most of the malware infections are created for financial purposes. Although regular users cannot be affected by Ploutus directly, what we can learn from this situation is that it is important to remain vigilant and careful, and that anything with an operating system can be trespassed and exploited, as long as the cyber criminals know how to do it. And they most certainly know how to.

In non-techie terms:

Ploutus is a Trojan infection that is used to infect ATMs. When an ATM gets infected, the criminal can make it dispense money at will. Thus, the infection is used to steal money from financial institutions. Banks affected by this malicious program have to invest more in their security; otherwise, the number of similar criminal activities will only experience a sharp rise.