Danger level 8
Type: Other
Common infection symptoms:
  • System crashes
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel

Ploutus

Ploutus is not a new malicious application. It was first detected in 2013 when it was employed by criminals to steal money from ATMs in Mexico. This malware allows bad people to make ATMs spew out money on command, so it is not surprising that thousands of money have already been stolen with its help. At the time of writing, Ploutus is no longer used widely, but the situation might, unfortunately, quickly change because a new version of this dangerous malware has been released. Specialists detected it in November, 2016, but they needed some time to research it and understand that malware they spotted on VirusTotal is not a new threat, but a variant of Ploutus. Since this new version differs from the old one to a great extent, it has been given a new name – Ploutus-D. Let’s find out what are the differences between these two versions.

Ploutus-D has been given this name not without reason. Researchers who have carried out research to find out more about this new version of Ploutus have revealed that Ploutus-D specifically targets ATMs that belong to the Diebold vendor. Unfortunately, later research has shown that other devices might be in danger too. It is because the Ploutus-D malware could also target ATM’s of other vendors too if it is slightly modified. More specifically, it should be able to work on machines whose cash dispensers are built on Kalignite Platform too. Since this platform is used by 40 different ATM vendors in 80 countries, hundreds of thousands of money could be stolen using this backdoor. The next paragraph is going to provide more information about the way this malicious application works.

Security specialists say that criminals first have to manage to connect the keyboard to the ATM so that they could use Ploutus-D to steal money from it. In order to do that, they have to find unsecured ATM ports (USB or PS/2). It is the only way to communicate with the Launcher and thus control malicious software and the ATM. Before going to rob an ATM, crooks have to find out first what type of operating system is running on it because Ploutus-D effectively works on machines running on Windows 10, 8, 7, and XP only.

Once the keyboard is successfully connected, a command-line interface appears (it should be noted that the GUI interface of Ploutus-D differs from the one older version of this malicious software has). After this interface is displayed, certain commands can be carried out using combinations of F keys, for example, “F8 F4 F5” and “F8 F1 F1.” Users might even enter the amount of money they want an ATM to spew out. Once everything is set up, the button F3 is pressed and criminals hurry to collect their money. Both the old and the new versions of Ploutus have been developed with the same purpose in mind – to reduce the risk of being caught on CCTV while stealing the money.

Both Ploutus and Ploutus-D share the same aim: to enable crooks to empty the ATM without the credit card; however, Ploutus-D differs from the older version of this malware to a great extent. First of all, it has been found that it could work on the Kalignite Platform, i.e. affect more ATMs, if it is slightly modified. Second, it comes with the so-called Launcher that tries to find and kill all security monitoring processes. It does that to stay undetected. Third, it uses a stronger .NET obfuscator called Reactor. Finally, researchers say that Ploutus-D is much more persistent if compared to its predecessor. This backdoor adds itself to the Userinit (\HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit) registry key so that it could remain after the reboot. In the case of similarities between Ploutus and Ploutus-D, they both are used to steal money, criminals have to connect the keyboard to the machine to communicate with this malware, they require the activation key that is generated by the attacker and works 24 hours only, and, finally, they were both created in .NET. It should also be noted that both versions of Ploutus can run as Windows Services or standalone applications.

It is not likely at all that criminals will stop using Ploutus-D any time soon, so the number of robbed ATMs will only increase in the future, according to specialists. It is especially true if we talk about ATMs that have a weaker protection.

Download Spyware Removal Tool to Remove* Ploutus
  • Quick & tested solution for Ploutus removal.
  • 100% Free Scan for Windows
disclaimer

How to manually remove Ploutus

Files associated with Ploutus infection:

fghjmnlo1.exe
pubpr.vbs
winupdt32f.exe
ss u helper.exe
pools.exe
ctfmon.exe
Security.exe
WinUpdate.exe
Startup.exe
Adobe.exe
BrowserTM.exe
SearchIndexer.exe
FacebookUpd.exe
installer.exe
systwin.exe
YesMessenger.pif
task64.exe
svchost.exe
mm.vbe
AppHelper.exe
Application Data.exe
bfmgmjch.exe
sdfesdf.exe.exe
RandomDelJiheReg.exe
TrustedInstaller.exe
ilms.exe
svghost.exe
services.exe
taskengcon.exe
directxwebpack.exe
unwrapped.exe
clientmonitor.exe
Hiimuaxziuv.dll
AppServices.exe
urrlsterm.dll
D.vbe
REBUILDI.EXE
conhost.exe
run.vbs
Recent.vbe
csrssf.exe
a18467.exe
color.vbe
2ryO.vbe
WindowsService.exe
Steam.exe
un.exe
Clash Of Clans Hack v4.0 by ParadiseOfHacks.exe
wstartup.exe
msdtc.exe
file.exe
testlive.exe
Time-svc.exe
wintel.exe
netfilter2.sys
kworker.exe
GetBooks.exe
Java.exe
msass.exe
System.exe
malwareprotection360.exe
firefoxupd.exe
cpuminerstart.exe
Flash Player.exe
Chrome_i.exe
Win32.exe
btwdins.exe
syshm.exe
Compresseddrivvernvidiagt.exe
str_up.exe
mppsvc.dll
Vghd.exe
VCL.dll
mun.exe
lupdater.exe
winpackhost.exe
Updater1.exe
dwm22.exe
MiniFriv01.exe
DriverAssistE41.exe
updater.exe
color.vbs
LookupSvi.exe
csrss.exe
hppupdate.exe
tgcomiccityloader.exe
aiko.exe
wintaskhost.exe
ccsvchst.exe
win.vbs
Windows screen manage updater.exe
srcheng.dll
wd.exe
svcsystem.exe
Microsoft Services.exe
snupdater.exe
BindEx.exe
strdfup.exe
csrssr.exe
winsvc.vbs

Ploutus DLL's to remove:

Hiimuaxziuv.dll
VCL.dll
srcheng.dll
mppsvc.dll
urrlsterm.dll

Ploutus processes to kill:

mun.exe
Security.exe
ss u helper.exe
services.exe
file.exe
Java.exe
task64.exe
testlive.exe
Windows screen manage updater.exe
sdfesdf.exe.exe
cpuminerstart.exe
AppServices.exe
Flash Player.exe
firefoxupd.exe
taskengcon.exe
winpackhost.exe
Vghd.exe
tgcomiccityloader.exe
kworker.exe
csrssr.exe
winupdt32f.exe
installer.exe
Chrome_i.exe
wintaskhost.exe
lupdater.exe
GetBooks.exe
svcsystem.exe
ctfmon.exe
ilms.exe
LookupSvi.exe
AppHelper.exe
ccsvchst.exe
conhost.exe
Win32.exe
Microsoft Services.exe
csrss.exe
svghost.exe
Clash Of Clans Hack v4.0 by ParadiseOfHacks.exe
svchost.exe
WindowsService.exe
TrustedInstaller.exe
msass.exe
MiniFriv01.exe
str_up.exe
Updater1.exe
updater.exe
wintel.exe
un.exe
Time-svc.exe
wd.exe
btwdins.exe
hppupdate.exe
wstartup.exe
pools.exe
dwm22.exe
unwrapped.exe
malwareprotection360.exe
Startup.exe
WinUpdate.exe
FacebookUpd.exe
Compresseddrivvernvidiagt.exe
a18467.exe
System.exe
strdfup.exe
fghjmnlo1.exe
Steam.exe
aiko.exe
BindEx.exe
msdtc.exe
systwin.exe
bfmgmjch.exe
BrowserTM.exe
csrssf.exe
DriverAssistE41.exe
snupdater.exe
directxwebpack.exe
Application Data.exe
SearchIndexer.exe
RandomDelJiheReg.exe
syshm.exe
clientmonitor.exe
Adobe.exe
Disclaimer

Post comment — WE NEED YOUR OPINION!

Comment:
Name:
Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.