Danger level 8
Type: Other
Common infection symptoms:
  • System crashes
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel

Ploutus

Ploutus is not a new malicious application. It was first detected in 2013 when it was employed by criminals to steal money from ATMs in Mexico. This malware allows bad people to make ATMs spew out money on command, so it is not surprising that thousands of money have already been stolen with its help. At the time of writing, Ploutus is no longer used widely, but the situation might, unfortunately, quickly change because a new version of this dangerous malware has been released. Specialists detected it in November, 2016, but they needed some time to research it and understand that malware they spotted on VirusTotal is not a new threat, but a variant of Ploutus. Since this new version differs from the old one to a great extent, it has been given a new name – Ploutus-D. Let’s find out what are the differences between these two versions.

Ploutus-D has been given this name not without reason. Researchers who have carried out research to find out more about this new version of Ploutus have revealed that Ploutus-D specifically targets ATMs that belong to the Diebold vendor. Unfortunately, later research has shown that other devices might be in danger too. It is because the Ploutus-D malware could also target ATM’s of other vendors too if it is slightly modified. More specifically, it should be able to work on machines whose cash dispensers are built on Kalignite Platform too. Since this platform is used by 40 different ATM vendors in 80 countries, hundreds of thousands of money could be stolen using this backdoor. The next paragraph is going to provide more information about the way this malicious application works.

Security specialists say that criminals first have to manage to connect the keyboard to the ATM so that they could use Ploutus-D to steal money from it. In order to do that, they have to find unsecured ATM ports (USB or PS/2). It is the only way to communicate with the Launcher and thus control malicious software and the ATM. Before going to rob an ATM, crooks have to find out first what type of operating system is running on it because Ploutus-D effectively works on machines running on Windows 10, 8, 7, and XP only.

Once the keyboard is successfully connected, a command-line interface appears (it should be noted that the GUI interface of Ploutus-D differs from the one older version of this malicious software has). After this interface is displayed, certain commands can be carried out using combinations of F keys, for example, “F8 F4 F5” and “F8 F1 F1.” Users might even enter the amount of money they want an ATM to spew out. Once everything is set up, the button F3 is pressed and criminals hurry to collect their money. Both the old and the new versions of Ploutus have been developed with the same purpose in mind – to reduce the risk of being caught on CCTV while stealing the money.

Both Ploutus and Ploutus-D share the same aim: to enable crooks to empty the ATM without the credit card; however, Ploutus-D differs from the older version of this malware to a great extent. First of all, it has been found that it could work on the Kalignite Platform, i.e. affect more ATMs, if it is slightly modified. Second, it comes with the so-called Launcher that tries to find and kill all security monitoring processes. It does that to stay undetected. Third, it uses a stronger .NET obfuscator called Reactor. Finally, researchers say that Ploutus-D is much more persistent if compared to its predecessor. This backdoor adds itself to the Userinit (\HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit) registry key so that it could remain after the reboot. In the case of similarities between Ploutus and Ploutus-D, they both are used to steal money, criminals have to connect the keyboard to the machine to communicate with this malware, they require the activation key that is generated by the attacker and works 24 hours only, and, finally, they were both created in .NET. It should also be noted that both versions of Ploutus can run as Windows Services or standalone applications.

It is not likely at all that criminals will stop using Ploutus-D any time soon, so the number of robbed ATMs will only increase in the future, according to specialists. It is especially true if we talk about ATMs that have a weaker protection.

Download Spyware Removal Tool to Remove* Ploutus
  • Quick & tested solution for Ploutus removal.
  • 100% Free Scan for Windows
disclaimer

How to manually remove Ploutus

Files associated with Ploutus infection:

testlive.exe
a18467.exe
win.vbs
Steam.exe
mun.exe
svghost.exe
Compresseddrivvernvidiagt.exe
msass.exe
AppHelper.exe
mm.vbe
System.exe
srcheng.dll
wstartup.exe
cpuminerstart.exe
un.exe
ctfmon.exe
firefoxupd.exe
unwrapped.exe
D.vbe
Application Data.exe
svchost.exe
tgcomiccityloader.exe
YesMessenger.pif
LookupSvi.exe
Recent.vbe
winupdt32f.exe
task64.exe
kworker.exe
installer.exe
csrss.exe
conhost.exe
2ryO.vbe
Updater1.exe
run.vbs
svcsystem.exe
RandomDelJiheReg.exe
aiko.exe
Startup.exe
dwm22.exe
bihelper.exe
Win32.exe
directxwebpack.exe
BrowserTM.exe
systwin.exe
WindowsService.exe
Microsoft Services.exe
wd.exe
ss u helper.exe
msdtc.exe
csrssr.exe
Clash Of Clans Hack v4.0 by ParadiseOfHacks.exe
GoogleMailChecker.dll
MiniFriv01.exe
Security.exe
ccsvchst.exe
pubpr.vbs
Time-svc.exe
wintel.exe
lupdater.exe
pools.exe
Adobe.exe
SearchIndexer.exe
csrssf.exe
AppServices.exe
DriverAssistE41.exe
TrustedInstaller.exe
REBUILDI.EXE
wintaskhost.exe
google.exe
color.vbs
fghjmnlo1.exe
Flash Player.exe
FacebookUpd.exe
sdfesdf.exe.exe
WinUpdate.exe
malwareprotection360.exe
VCL.dll
Hiimuaxziuv.dll
str_up.exe
winpackhost.exe
Java.exe
taskengcon.exe
services.exe
jusched.exe
urrlsterm.dll
netfilter2.sys
ilms.exe
winsvc.vbs
updater.exe
GetBooks.exe
BindEx.exe
strdfup.exe
Windows screen manage updater.exe
bfmgmjch.exe
color.vbe
hppupdate.exe
file.exe
syshm.exe
snupdater.exe
Chrome_i.exe

Ploutus DLL's to remove:

GoogleMailChecker.dll
VCL.dll
urrlsterm.dll
Hiimuaxziuv.dll
srcheng.dll

Ploutus processes to kill:

msass.exe
winupdt32f.exe
Time-svc.exe
Win32.exe
malwareprotection360.exe
un.exe
systwin.exe
wintaskhost.exe
pools.exe
taskengcon.exe
str_up.exe
svghost.exe
Adobe.exe
ctfmon.exe
updater.exe
dwm22.exe
mun.exe
syshm.exe
google.exe
Flash Player.exe
Startup.exe
Steam.exe
AppServices.exe
tgcomiccityloader.exe
System.exe
Application Data.exe
lupdater.exe
task64.exe
RandomDelJiheReg.exe
winpackhost.exe
installer.exe
BindEx.exe
testlive.exe
cpuminerstart.exe
SearchIndexer.exe
jusched.exe
ccsvchst.exe
ss u helper.exe
LookupSvi.exe
Windows screen manage updater.exe
wd.exe
firefoxupd.exe
bfmgmjch.exe
kworker.exe
Compresseddrivvernvidiagt.exe
Clash Of Clans Hack v4.0 by ParadiseOfHacks.exe
conhost.exe
strdfup.exe
wintel.exe
AppHelper.exe
snupdater.exe
svcsystem.exe
hppupdate.exe
csrssr.exe
DriverAssistE41.exe
ilms.exe
WinUpdate.exe
GetBooks.exe
Microsoft Services.exe
msdtc.exe
fghjmnlo1.exe
BrowserTM.exe
WindowsService.exe
FacebookUpd.exe
Updater1.exe
Chrome_i.exe
unwrapped.exe
file.exe
Security.exe
aiko.exe
a18467.exe
services.exe
wstartup.exe
svchost.exe
TrustedInstaller.exe
directxwebpack.exe
csrss.exe
bihelper.exe
Java.exe
sdfesdf.exe.exe
MiniFriv01.exe
csrssf.exe
Disclaimer

Post comment — WE NEED YOUR OPINION!

Comment:
Name:
Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.