Friday, May 23, 2025
HomeMalwarePress F3 for Money : "Ploutus" Dangerous ATM Malware Discovered

Press F3 for Money : “Ploutus” Dangerous ATM Malware Discovered

Published on

SIEM as a Service

Follow Us on Google News

FireEye have recognized another variation of the Ploutus ATM malware, utilized for as far back as couple of years to make ATMs retch out money on charge.

Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message, a technique that had never been seen before.

There are some previously unobserved version of Ploutus, dubbed Ploutus-D, that interacts with KAL’s Kalignite multivendor ATM platform.

- Advertisement - Google News

The samples we identified target the ATM vendor Diebold. However, minimal code change to Ploutus-D would greatly expand its ATM vendor targets since Kalignite Platform runs on 40 different ATM vendors in 80 countries

How it works

When conveyed to an ATM, Ploutus-D makes it feasible for a cash donkey to get a large number of dollars in minutes. A cash donkey must have an ace key to open the top segment of the ATM (or have the capacity to pick it), a physical console to interface with the machine, and an enactment code (gave by the manager accountable for the operation) keeping in mind the end goal to administer cash from the ATM.

FireEye described some previous Activities of  Ploutus,

  • It uses the Kalignite multivendor ATM Platform.
  • It could run on ATMs running the Windows 10, Windows 8, Windows 7 and XP operating systems.
  • It is configured to control Diebold ATMs.
  • It has a different GUI interface.
  • It comes with a Launcher that attempts to identify and kill security monitoring processes to avoid detection.
  • It uses a stronger .NET obfuscator called Reactor.

Commonality between Ploutus and Ploutus-D

  • The main purpose is to empty the ATM without requiring an ATM card.
  • The attacker must interact with the malware using an external keyboard attached to the ATM.
  • An activation code is generated by the attacker, which expires after 24 hours.
  • Both were created in .NET.
  • Can run as Windows Service or standalone application.

New Ploutus malware variant targets Diebold-made ATMs

As indicated by Researchers, this new variation was seen in November 2016, when somebody transferred a duplicate on the VirusTotal amassed filtering motor.

This mix-up permitted Researcher’s to get their hands on a duplicate of this new form, which they nicknamed Ploutus-D because of elements that permitted it to explicitly target Diebold ATMs.

Later investigation uncovered that with minor adjustments, Ploutus-D could likewise focus on the ATMs of different sellers that fabricated their money distributors on the Kalignite Platform, at present conveyed by 40 diverse ATM merchants in 80 nations.

A Keyboard helps evildoers discharge out ATMs

Like past variations, hoodlums send Ploutus-D on the off chance that they can get to unsecured ATM ports where they associate a console to the ATM’s accessible ports.

The Keyboard permits them access to the ATM’s product. As per specialists, Ploutus-D can be utilized viably against ATMs running on Windows 10, 8, 7, and XP.

In the wake of associating the Keyboard, a charge line interface shows up, and cheats can utilize the console to enter blends of Fx keys to control the ATM, for example, “F8 F1” or “F8 F4 F5.”

After the convicts settle on the measure of money they need to take, they just need to press F3 and gather their cash.

FireEye Malware Analyst Daniel Regalado Said ,This code is provided by the boss in charge of the operation and is calculated based on a unique ID generated per ATM, and the current month and day of the attack,” 

Key Notes About Ploutus,

  • Ploutus-D was uploaded to VirusTotal in November 2016.
  • Ploutus-D was uploaded to VirusTotal in November 2016.
  • It has been observed in Latin America.
  • Ploutus-D affects Diebold ATMs.
  • Minor modifications could be made to Ploutus-D to affect other vendors using the Kalignite Platform.
  • It activity Through physical access to the ATM.
  • Via an external keyboard that needs to be connected to the ATM.

     

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

GenAI Assistant DIANNA Uncovers New Obfuscated Malware

Deep Instinct’s GenAI-powered assistant, DIANNA, has identified a sophisticated new malware strain dubbed BypassERWDirectSyscallShellcodeLoader. This...

New Formjacking Malware Targets E-Commerce Sites to Steal Credit Card Data

A disturbing new formjacking malware has emerged, specifically targeting WooCommerce-based e-commerce sites to steal...