vSOC SPOT Report: Ploutus-D ATM Malware

Overview

On Friday, January 26^th, vendor Diebold Nixdorf released a statement to customers housing their front load ATM appliances of an attack being leveraged against them. The Ploutus-D malware, which has previously been seen in Latin America, has been observed in several regions of the United States including the Pacific Northwest, Texas, and several locations across the Southeast. The attack is coined “Jackpotting” due to the ability to make the ATM device unload all of its funds.

Attack Details

In order for an attacker to gain access to implant the malicious binary, they must have physical access to the device. They must open the top hat of the ATM via a clone key, picking, forcing the lock or any other method. Once they gain physical access, the attacker will attach a USB or PS/2 keyboard and either load the malicious binary via USB drive or other removable media or will replace the hard drive of the system with one preloaded with the malicious operating system and program files. Once complete, this will allow the attacker to “jackpot” the ATM directly via command line or remotely via SMS text message.

Recognizing Jackpotting Attacks

Physical access is necessary to perform this attack as well as potential damage to the device. Routine sweeps should be made by the device administrator to ensure there is no damage to the locking mechanism, top hat, or casing indicating that the device has been tampered with. Additionally, if the device has a built-in tamper alarm to the opening of the top hat, it should be enabled.

How Jackpotting Works

The attacker gains physical access to the computer inside the ATM either via forcing the top hat, or in the case of embedded systems, via social engineering their way into the maintenance area for the devices. They then load the Ploutus-D Configuration utility (AgilisConfigurationUtility.exe) along with software dependencies onto the system which permits the attacker control. Once the applications are installed, the malware hooks into the keyboard and permits the use of the “F” function keys (typically at the top of the keyboard, as in the above image) as well as the number keys to provide input. At this point, the attacker can press the “F3” key and distribute funds from the device without authorization or can close everything back up and create a cash drop where they are able to distribute funds at their leisure.

In order for this particular attack to be successful, the attacker MUST have the 8 digit activation code, which is only valid for 24 hours.

Attack Detection and Prevention

To detect and prevent this attack, the best starting point is to reinforce the device’s physical security. Additional security controls for ATM maintenance and stronger access control are critical. Additional options to reduce the attack surface are:

• Many of the ATMs in circulation use the same keys. Replacing the top hat lock with a different lock will reduce the instances of this crime.
• Have a technician physically inspect the device at regular intervals to ensure it has not been tampered with.
• Use appropriate locking mechanisms to secure the head compartment of the ATM.
• Control access to areas used by personnel to service the ATM.
• Implement access control for service technicians based on two-factor authentication.
• Use firmware with the latest security functionality.
• Use the most secure configuration of encrypted communications including physical authentication:
  • Agilis® XFS for Opteva®
  • Advanced Function Dispenser (AFD) Version 4.1.41 incl.AFD Application Firmware Version – 6.0.1.0 (or later)
  • Agilis® XFS for Opteva®, Core Version 4.1.59 (or later)
  • Optional – OSD+/DSST 3.3.30 (or later)
• Investigate suspicious activities such as deviating or non-consistent transaction or event patterns, which are caused by an interrupted connection to the dispenser.
• Have a plan in place for what to do if someone has physically tampered with the ATM.
  • Who is the point of contact?
  • Who is your local law enforcement agency?
  • Do you have a regular contact there?
• Running regular updates and ensuring that your operating system is still supported (Many of these attacks are made far easier due to the ATM running Windows XP).
• Implementation of full disk encryption and encrypt the connection between the ATM and the dispenser.

Affected Systems

• Diebold Nixdorf Front-load Opteva terminals with the Advanced Function Dispenser (AFD).
  • Opteva 500 and 700
• Other terminals and ATM vendors without physical authentication could be affected.

IOCs

The following IOCs are available to detect the instance of the attacker:

FileSystem:

• [D-Z]:DataP.bin
• C:DieboldEDCedclocal.dat

The following files should be found at the same place where the service Diebold.exe is located:

• Log.txt
• Log2.txt
• P.bin – Mac address of the system, plus string: “PLOUTUS-MADE-IN-LATIN-AMERICA-XD”
• PDLL.bin – Encoded version of P.bin

Mutex names:

• Ploutos
• DIEBOLDPL
• KaligniteAPP

Services:

• Service Name: DIEBOLDP

Registry:

\HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit=”Diebold.exe,%system32%/userinit.exe”

Additional Resources

• https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html
• https://krebsonsecurity.com/2018/01/first-jackpotting-attacks-hit-u-s-atms/
• https://www.guidepointsecurity.com/wp-content/uploads/2018/01/20180126-GLOBAL-SECURITY-ALERT-018-04-0005-Potential-Jackpotting-US-Update-on-017-34-0002-smaller.pdf
• https://blog.dieboldnixdorf.com/not-just-ploutus-protection-atm-malware-attacks/#.Wm9lN1Q-d0s
• https://www.bleepingcomputer.com/news/security/ploutus-atm-malware-press-f3-for-money/
• http://www.zdnet.com/article/atm-jackpotting-reaches-us-shores/