Malware in mexican ATM

Forum for analysis and discussion about malware.

Re: Malware in mexican ATM

Postby Xylitol » Fri Jan 03, 2014 11:25 am

Aysun wrote:No, I'm looking for a sample too. We can't contact anyone from conference and ask for hash of their sample maybe?

try to contact the CCC http://ccc.de/en/contact
User avatar
Xylitol
Global Moderator
 
Posts: 1620
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 479

Re: Malware in mexican ATM

Postby Aysun » Sat Jan 04, 2014 2:36 am

I did, no reply
Aysun
 
Posts: 6
Joined: Fri Nov 01, 2013 2:01 am
Reputation point: 1

Re: Malware in mexican ATM

Postby Xylitol » Tue Mar 25, 2014 6:53 pm

Texting ATMs for Cash Shows Cybercriminals’ Increasing Sophistication ~ http://www.symantec.com/connect/blogs/t ... istication
User avatar
Xylitol
Global Moderator
 
Posts: 1620
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 479

Re: Malware in mexican ATM

Postby id_grinder » Wed Mar 26, 2014 11:13 am

Well, there are some "commercial" and security issues involved in this ploutus campaign.
First there is the real threat.
I had the chance to analyse the malware so kindly provided here and it is a valid threat.
It is engineered by someone with deep knowledge of ATM functionality and exploits some features found in many ATM terminals in existence right now.
However, being a POI ( point of interaction) attack, it is relatively hard to scale since it requires phisycal access to the machine and PC cage.
Processors and providers and private owners are at risk if they do not have alarm systems installed on their ATM's.
Locking down BIOS is a good option but if the attacker has enough time he can open the PC cage and clear the BIOS NVRAM.
In some situations, the USB printer port was used to gain access to the PC by drilling holes in a predetermined area of the ATM fascia and plugging in a USB stick followed by a power cycle of the ATM.
In all presented and confirmed cases, the malware was delivered via a bootable disk to bypass some of the security software installed on the atm HDD since these are not active in offline mode.
This feature again prooves the knowledge in ATM systems and functionality by the malware creator.
Another way of installing the malware is to use technicians that service the machines.
There are several reports where the technicians were either bribed or threatened and forced to install the malware on the ATMs.
Another side of this is the "commercial" side which is much more interesting.
Now over 80% of the ATM's currently running in the world are running a version of windows.
Some of them are however unaffected by Ploutus(they run windows CE) but the rest of them are susceptible to this threat.
Now there are several interests in here.
New software licenses (XP ends support in April), new hardware( since w7 has a new driver model and the PC's in existence on ATM's are several years old, there is no chance in finding suitable drivers for more than 50% of the ATM fleet in existence, new security software and ATM application software.
One of the issues in ATM industry is the resilience of ATM network owners to changes.
Not because they would not welcome the change, But because it costs a big amount of money in new hardware( usualy the price of an ATM PC is twice or even three times more than an off the shelf PC ) and the entire software stack installed has to undergo a long line of tests and certifications that cost another truckload of money.
I personally believe that the current "plotus" threat, aside from the fact that is a security breach that has to be adressed, it is used by certain companies to push ATM owners into the costly upgrades they have been avoiding so far.
Again from the point of view of scale, ploutus is a single point infection and it cannot propagate itself like other malicious software due to the nature of the ATM networks and the restrictions imposed in them.
Compared to phisycal attacks, i would put ploutus on the same line if not less than attacks by explosives or gas.
And for these kinds of attacks, the ATM owners are already covered.
So ploutus is not as much a threat.
It is used as a way of pushing sales.
User avatar
id_grinder
 
Posts: 1
Joined: Sun Jan 19, 2014 9:34 pm
Reputation point: 0

Re: Malware in mexican ATM

Postby peteramster » Wed Nov 19, 2014 1:00 am

how exacly they work with ploutus and wats the code we must use for runing ploutus ??
thanks
peteramster
 
Posts: 1
Joined: Thu Nov 13, 2014 4:16 am
Reputation point: 0

Re: Malware in mexican ATM

Postby Xylitol » Wed Nov 19, 2014 8:23 pm

peteramster wrote:how exacly they work with ploutus and wats the code we must use for runing ploutus ??
thanks

read the thread again.
teddybear wrote:http://blog.spiderlabs.com/2013/10/having-a-fiesta-with-ploutus.html
User avatar
Xylitol
Global Moderator
 
Posts: 1620
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 479

Re: Malware in mexican ATM

Postby writersumit » Thu Nov 27, 2014 6:27 am

Many thanks for this informative thread and the share. I'm now trying to understand ploutus. I read that the newer version gets installed from mobile phone via a text message. Have to check all that. Thanks again.
writersumit
 
Posts: 1
Joined: Thu Nov 27, 2014 5:28 am
Reputation point: 0

Re: Malware in mexican ATM

Postby Earth124 » Fri May 01, 2015 5:38 am

Xylitol Thanks a +rep for the slick passcode entry its literally in my face . :/
Earth124
 
Posts: 4
Joined: Fri May 01, 2015 5:24 am
Reputation point: 0

Re: Malware in mexican ATM

Postby Xylitol » Thu Feb 16, 2017 5:27 pm

New Variant of Ploutus ATM Malware Observed in the Wild in Latin America ~ https://www.fireeye.com/blog/threat-res ... riant.html

Diebold.exe - https://www.virustotal.com/en/file/04db ... 487265583/
AgilisConfigurationUtility.exe - https://www.virustotal.com/en/file/aee9 ... 487265968/
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1620
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 479

Re: Malware in mexican ATM

Postby K_Mikhail » Sun Feb 19, 2017 9:59 am

Seems, Fireeye missed this sample for their article:

Diebold.exe: https://virustotal.com/ru/file/0971c166 ... 487497822/ (also BKDR_PLOUTUS.D by TrendMicro)

MD5: 328ec445fce0ec1e15972fef9ec4ce38
SHA1: ad8a7c5d1287b1fb8b8e874ba9bdb7be0ee971f9
SHA256: 0971c166826163093093fb199d883f2544055bdcfc671e7789bd5088992debe5
K_Mikhail
 
Posts: 37
Joined: Tue Apr 13, 2010 4:13 pm
Reputation point: 12

Previous

Return to Malware

Who is online

Users browsing this forum: Gladiator and 4 guests