Threat Management, Malware, Threat Management

Crooks ‘jackpot’ ATMs in Latin America with new FiXS malware

A man uses a green-colored ATM

Advance ATM malware dubbed FiXS has been used in a string of attacks across Mexico allowing cybercriminals to spit out cash on demand. The attacks have been ongoing since February with researchers unsure how threat actors are able to install FiXS malware on targeted ATM machines.

The attacks are similar in tactics to previous ATM malware called Ploutus, which has targeted Latin America banks since 2013, according to a report by researchers at Metabase Q. An updated strain of the malware was detected in 2021, which “specifically targeted ATMs produced by the Brazilian vendor, Itautec, and was prevalent across Latin America.”

The FiXS malware is new and is currently affecting Mexican banks, wrote Jesus Dominguez and Gerardo Corona from from Metabase Q's Ocelot Team.

FiXS malware earns its name from the type of vendor agnostic ATM middleware it targets called CEN XFS. It’s unclear how cybercriminals gain access to systems to inject the malware into the ATMs, according to researchers. However, once installed FiXS allows attackers to exploit a suite of protocols and APIs that make up CEN XFS. The malware user interface allows remote cybercriminals to program the ATMs to dispense cash, also called jackpotting.

The term jackpotting, in a nod to a type gambling windfall, is jargon for when criminals are able to dispense cash from banking ATMs using either a physical connection, remote malware or a combination of both.

How the ATM malware FiXS works

Characteristics of the FiXS malware, according to Metabase Q, include allowing the threat actor to dispense cash 30 minutes after the ATM reboots. Criminals must have access to the targeted ATM via an external keyboard. Metadata is associated with the malware in Russian, or Cyrillic script.

The attack chain begins with a malware dropper (conhost.exe), according to Metabase Q. Next, the dropper is able to identify the system’s temporary directory to store the FiXS ATM malware payload.

“The embedded malware is decoded with XOR instruction where the key is changed in every loop via decode_XOR_key() function,” wrote researchers.

“Finally, FiXS ATM malware is launched  via  ‘ShellExecute’ Windows API,” researchers wrote.

“FiXS is implemented with the CEN XFS APIs which helps to run mostly on every Windows-based ATM with little adjustments, similar to other malwares like Ripper,” they wrote. “The way FiXS interacts with the criminal is via external keyboard, similar to other viruses, this can be confirmed by identifying the hooking mechanisms intercepting the keystrokes.”

Criminals, with an external keyboard, are then able to take advantage of the ATM reboot and within a 30-minute window of the system coming back online can “to spit out money.”

"It is not clear yet what the vector for the initial infection is. However, since FiXS utilizes an external keyboard (similar to Ploutus), we anticipate that it follows a similar methodology. In the case of Ploutus, a person with access to these teller machines physically connects an external keyboard to to the ATM for the attack to commence," researchers wrote.

How common is ATM jackpotting?

In separate report, researchers said that in first eight months of 2022, the number of unique devices affected by ATM and point-of-sale malware (jackpotting) grew by 19% as compared to the same period in 2020, and by nearly 4% compared to 2021. Malware strains HydraPOS and AbaddonPOS were the most commonly used, according to the Kaspersky report.

Regions most impacted have include Latin America, Europe, Asia and the United States. “The risk is the highest with older ATM models, as these are difficult to repair or replace and seldom use security software to avoid further degrading their already-subpar performance,” Kaspersky wrote.

“The European Association for Secure Transactions, which tracks ATM fraud attacks for financial institutions in the EU, reported 202 successful jackpotting (ATM Malware & Logical Attacks) in 2020, resulting in losses of $1.4 million or about $7,000 per attack,” according to a 2022 report by Federal Reserve Bank of Atlanta.

“Given the importance of ATMs in the financial system chain for cash-based economies, malware attacks are far from over. It is critical for banks and financial institutions to assume potential compromises of devices and focus on reducing the Time to Detect and Response to these types of threats,” Metabase Q researchers wrote.

Tom Spring, Editorial Director

Tom Spring is Editorial Director for SC Media and is based in Boston, MA. For two decades he has worked at national publications in the leadership roles of publisher at Threatpost, executive news editor PCWorld/Macworld and technical editor at CRN. He is a seasoned cybersecurity reporter, editor and storyteller that aims always for truth and clarity.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.