The Ploutus ATM malware family, first detected in 2013 by Symantec as Backdoor.Ploutus, allows attackers to withdraw cash from an ATM machine on command. The malware is installed by accessing the ATM’s CD-ROM drive and inserting a new boot disk that delivers the Ploutus variant. After connecting an external keyboard to the ATM machine, threat actors must press ‘F8’ to display the hidden trojan window. Once visible, numerous commands can be executed such as pressing ‘F1’ to generate ATM ID, ‘F2’ to activate ATM ID, and ‘F3’ to dispense cash.

In 2014, Symantec detected a new version of Ploutus named Backdoor.Ploutus.B. This version is distributed by connecting a mobile phone to an ATM, commonly via USB tethering. Once connected, criminals can execute commands on the ATM by sending specially-crafted SMS messages. The embedded mobile device then converts the SMS message into a network packet and forwards it to the ATM via the established connection.

Another version, dubbed Ploutus-D, was detected in 2016 targeting the ATM vendor Diebold. Ploutus-D operates on ATM’s running Windows 10, 8, 7, and XP and is designed to force an ATM machine to dispense cash. To execute Ploutus-D, threat actors must have physical access to the top portion of the ATM, the ability to connect an external keyboard, and possess a temporary activation code generated by the attackers. The malware achieves persistence by adding itself to the “Userinit” registry key and uses combinations of ‘F’ keys to execute commands including start programs, kill processes, delete files, and reboot machine. Although Ploutus-D initially targeted only Diebold ATMs, researchers discovered that minor modifications to the malware could enable it to run on 40 additional ATM vendors in 80 countries.  

In October 2017, Diebold Nixdorf issued an alert regarding a jackpotting scheme impacting ATMs throughout Mexico. According to the alert, threat actors targeted Front-load Advanced Function Dispenser (AFD)-based Opteva terminals in a scheme designed to steal large amounts of cash from vulnerable ATMs. In these attacks, criminals infected ATMs with a variant of the Ploutus.D malware by installing it directly on the ATM’s internal computer or by replacing the device’s hard disk drive (HDD) with a malware-infected one. Diebold Nixdorf issued an additional alert in January 2018 detailing possible jackpotting attacks observed in the United States. Researchers suspect Ploutus.D was used in these attacks; however, the malware variant was not disclosed.

Reporting and Technical Details:

Image Source: Symantec