ATM malware Ploutus updated with English-language version

Share this article:

Just a couple of weeks after the Spanish-language ATM malware known as Ploutus was discovered making the rounds in Mexico, computer security software company Symantec has discovered an updated English-language version.

Aside from the language, the only real differences are that the binary name has changed to ‘Ploutus.exe' from ‘PloutusService.exe,' and it has been changed from a standalone program to a modular architecture, Satnam Narang, a researcher with Symantec Security Response, told SCMagazine.com on Monday.

Otherwise, the mechanism for crooks is mostly the same. Essentially, the malware is transferred into the ATM through the CD-ROM drive, attackers send a 16-digit command code using the ATM keypad, a dispatcher sends a 33-digit instruction to Ploutus through the command line, and then a timer is scheduled to dispense funds.

The malware will only spit out money within the first 24 hours of activation, Narang said.

Aside from placing great physical protections on ATMs, so as to avoid allowing criminals access to the money machine's CD-ROM drive, to defend against Ploutus Symantec has offered up some additional best practices for owners.

First, configure the BIOS boot order to only boot from the hard disk, and not a CD, DVD or USB, Narang said. He added that ATM vendors should secure the BIOS with a password so that attackers cannot reconfigure the boot options, consider removing hardware that allows the BIOS to read and start from the boot, and ensure that AV signatures and security solutions are up to date.

“This discovery underlines the increasing level of cooperation between traditional physical-world criminals with hackers and cyber criminals,” Narang said, adding that ATMs in off-site locations, such as malls and convenience stores, are more likely at risk. “With the ever increasing use of technology in all aspects of security, traditional criminals are realizing that to carry out successful heists, they now require another set of skills that wasn't required in the past.”

Russian security firm Safensoft discovered late in September that Ploutus was infecting ATMs in Mexico, and not long after information security company Trustwave released its own findings on the malware.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

WikiLeaks makes FinFisher surveillance software available to public

Copies of controversial surveillance software, called "FinFisher," were made available for public scrutiny by WikiLeaks.

Researcher challenges reports that BlackPOS variant struck Home Depot

Nuix believes the malware found on Home Depot's systems belongs to a different threat family.

Documents reveal NSA plans to map every internet connected device in the ...

Documents provided by Edward Snowden reveal that the NSA is looking to build a near real-time map of every single internet-connected device in the world.