.

ATM Malware Attacks – Ploutus-D Jackpot

.

Malware authors have recently hit the literal “jackpot” with the advent of the latest variant of the “Ploutus” family of targeted malicious code.  This code suite enables attackers to essentially convert an ATM into a remotely managed “Cash-Out” system that a criminal organization may either utilize directly, or can alternatively sell access rights to for an additional fee.  The “D” variant adds several new capabilities to the Malware, including support for new families of ATM software and equipment, and more importantly the capability to remotely administer compromised ATM’s over TeamViewer.  This addition increases the utility and value of compromised ATM’s to the attackers, by enabling them to generate revenue by selling access to their compromised systems to other criminal entities, who may then attempt to harvest the cash themselves; assuming the risk of exposure by doing so, and keeping the original attackers insulated in the process.  “Jackpot” indeed!

.

THE CHALLENGE

.

The PLOUTUS Family of Malware has been known and utilized in ATM Jackpotting attacks since 2013, and continues to evolve in sophistication and capability since its inception.  At its core, PLOUTUS, when activated, causes an ATM to dispense its reserve of bills rapidly and is quick succession, usually until emptied.  This dispensation is immediately collected by an actor (Typically referred to as a “Cash Mule”) operating on behalf of the criminal organization, who retrieves the cash and carries it to its intended destination.  Because of the tightly contained nature of most ATM infrastructure, local access is required to perform the initial compromise, and to retrieve the cash.  Ploutus-D incorporates features that help offset both of these risk points for the attackers, and help ensure an infection remains viable and useful to the attackers.

Typical attacks will unfold as follows:

1. A hostile agent will gain local physical access to the ATM Machine(s) to be compromised, typically masquerading as a maintenance technician. The attacker typically unplug the machine’s wired network port and will proceed to install the Ploutus malware via USB Stick.  In the case of Ploutus-D attacks, a USB wireless internet dongle will also be inserted discreetly at this time as well, for later use by the malware.
2. Upon Instantiation, the Malware will attempt to connect and phone home over the wireless connection facilitated via the dongle, and can receive further instructions from the attacker at this time. Instructions may include an order to begin cash out at a time and place of the attacker’s choosing; thereby separating the act of installing the Malware from the act of retrieving the case sufficiently to insulate the attacking individual from immediate suspicion.
3. Cash-out may take place at attacker discretion and can now be directed to either a mule in the employ of the attacker, or alternately to a mule in the employ of a secondary entity who has purchased access to the ATM from the attacker for a fee.
4. After the ATM is exhausted, the hostile agent will return to remove the code and dongle, and restore the ATM’s wired connection

.

The Solution

.

Symantec Critical System Protection for Embedded systems utilizes very powerful protected whitelist policies which ensures that a remote system (like an ATM) is protected against the most determined of digital attacks. What’s more, the highly static nature of these devices’ functions makes them ideal candidates for this kind of very granular protection strategy.  The Protected Whitelist Policy provides a granular and customizable set of system-wide of protections which automatically prevents execution of any process that is not known and explicitly trusted by the IT security team.  It also restricts the actions of known and trusted processes to only those actions critical to their function and/or which have been explicitly granted by IT. No unauthorized activity may be undertaken on a protected system.   These features provide a persistent, real-time, signature-free security measure which may be configured to work in conjunction with established patching processes and traditional anti-virus and ensure a strong security strategy even in less than ideal scenarios, and which cannot be readily defeated through conventional means.  Furthermore, Symantec Critical System Protection for Embedded systems enables the administrator the option of installing the agent in an un-managed configuration.  This unmanaged configuration may then be readily and easily updated and configured when necessary by approved field technicians without the need for centralized management which may be impossible to receive.

In the case of combatting a PLOUTUS attack attempt, there are SEVERAL capabilities that severely impair the attacker’s ability to achieve successful compromise, notably:

1. Protected whitelisting which prevents execution of ANY Code or module not explicitly granted access and permission to run on the protected system
2. Device restrictions which can be configured to prevent the installation of unauthorized hardware (such as wireless network dongles) that is not explicitly authorized for use with the ATM
3. Volume Access Restrictions that automatically prevent execution of code from unapproved locations (Like mounted USB data volumes)
4. Built-In Self-Protections that ensure the CSP agent cannot be tampered with or otherwise disabled once it is running.

.

The Impact

.

When faced with a CSP-Protected system, attackers attempting to locally install PLOUTUS (or any malware or unauthorized equipment, for that matter) will very quickly discover they are unable to perform even the first steps needed to complete their attack.  Given the time-sensitive nature associated with many of these attacks (the attackers do not wish to linger for any period of time, lest suspicion be drawn), these deterrents, which are significant in their own right, are typically sufficient to prompt the attacker to abort their activity before compromise is achieved.  Additionally, in cases where the CSP agent can be managed and can report events into a centralized management server, it becomes very possible to correlate CSP events generated from the compromise attempt with surveillance footage and thereby more effectively identify and pinpoint hostile actors and potentially facilitate their prompt removal.

Get in touch with us to dive deeper and find out how we can help better protect your ATMs and your Symantec CSP environment.

Email: connect@northstar.io  |   Phone: 312-421-3270