Ploutus is the name of sophisticated malware that was first detected by security specialists in 2013. It affected a number of ATMs in Mexico back then, so it is considered extremely dangerous. Fortunately, it seems that it is no longer widely employed by crooks these days. Sadly, it does not mean that administrators of ATMs can perform a happy dance because the entire situation might dramatically change soon because a new version of this dangerous malicious application has been developed recently, meaning that Ploutus is back! Since it works slightly differently this time, it has received a new name Ploutus-D.
Generally speaking, Ploutus is a name encompassing different versions of advanced malicious software used to rob ATMs. It allows criminals to completely empty an ATM using only an external keyboard or via an SMS message (more specifically, by sending an SMS message to the particular ATM). A new version Ploutus-D has been developed for the same reason. It was first detected in November, 2016 when someone uploaded it on the web (VirusTotal), most probably, by mistake. Researchers have conducted thorough research to find out what to expect from this malicious application. It has been found that this backdoor slightly differs from its predecessors: it particularly targets the ATM vendor Diebold. Unfortunately, it does not mean that ATMs of other vendors are safe, according to researchers. Specialists say that if minor modifications are made to Ploutus-D by crooks, it could start working on other ATMs whose cash dispensers are built on Kalignite Platform too. It is used worldwide, more specifically, 40 different ATM vendors use it in more than 80 countries, which suggests that criminals might start using it widely to steal money.
The major target of Ploutus-D is ATMs running on the following operating systems: Windows 10, 8, 7, and XP. Also, crooks need to connect a keyboard to the ATM to get what they want, so machines need to have unsecured ports (USB or PS/2) so that robbers could do that. An external device must be connected so that it would be possible to control the ATM. Once the keyboard is connected, a command-line interface appears and criminals might enter F combinations, e.g. F8 F4 F5 or F8 F1 F1 to perform activities inside the ATM, for example, they can enter the amount of money they prefer to get using these F-key combinations. Once a decision regarding the amount of money is made, they only need to press one button F3 to make the ATM spew out money. It sounds very easy to get free money, but, of course, it is not so easy to get it and use it. Also, as has been found by malware analysts, people who are planning on employing this malware should know that an 8-digit code, which is only valid for 24 hours, is needed to launch and use Ploutus-D. It is a unique code generated on the basis of the unique ID of the ATM and the month and day of the attack.
Once the unique code is entered and Ploutus-D is successfully launched, it immediately kills all security applications installed on the machine. It tries to stay undetected too, which is why the Reactor .NET obfuscator is used. Before this backdoor starts working, it also makes sure that it can run properly on the ATM machine. In order to perform the check-up, legitimate KAL ATM software modules are dropped together with the infection. Evidently, the new version of Ploutus malware greatly differs from these older versions used in Mexico in 2013 to steal money from hundreds of ATMs.
At the time of writing, Ploutus-D has been used to steal money from ATMs in Latin America only, but it is very likely that more and more crooks will try out the new version of Ploutus, meaning that the rate of infected ATMs might quickly increase. In the opinion of researchers, devices in the U.S and Canada are going to be affected next.