Danger level 8
Type: Other
Common infection symptoms:
  • System crashes
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel

Ploutus

Ploutus is not a new malicious application. It was first detected in 2013 when it was employed by criminals to steal money from ATMs in Mexico. This malware allows bad people to make ATMs spew out money on command, so it is not surprising that thousands of money have already been stolen with its help. At the time of writing, Ploutus is no longer used widely, but the situation might, unfortunately, quickly change because a new version of this dangerous malware has been released. Specialists detected it in November, 2016, but they needed some time to research it and understand that malware they spotted on VirusTotal is not a new threat, but a variant of Ploutus. Since this new version differs from the old one to a great extent, it has been given a new name – Ploutus-D. Let’s find out what are the differences between these two versions.

Ploutus-D has been given this name not without reason. Researchers who have carried out research to find out more about this new version of Ploutus have revealed that Ploutus-D specifically targets ATMs that belong to the Diebold vendor. Unfortunately, later research has shown that other devices might be in danger too. It is because the Ploutus-D malware could also target ATM’s of other vendors too if it is slightly modified. More specifically, it should be able to work on machines whose cash dispensers are built on Kalignite Platform too. Since this platform is used by 40 different ATM vendors in 80 countries, hundreds of thousands of money could be stolen using this backdoor. The next paragraph is going to provide more information about the way this malicious application works.

Security specialists say that criminals first have to manage to connect the keyboard to the ATM so that they could use Ploutus-D to steal money from it. In order to do that, they have to find unsecured ATM ports (USB or PS/2). It is the only way to communicate with the Launcher and thus control malicious software and the ATM. Before going to rob an ATM, crooks have to find out first what type of operating system is running on it because Ploutus-D effectively works on machines running on Windows 10, 8, 7, and XP only.

Once the keyboard is successfully connected, a command-line interface appears (it should be noted that the GUI interface of Ploutus-D differs from the one older version of this malicious software has). After this interface is displayed, certain commands can be carried out using combinations of F keys, for example, “F8 F4 F5” and “F8 F1 F1.” Users might even enter the amount of money they want an ATM to spew out. Once everything is set up, the button F3 is pressed and criminals hurry to collect their money. Both the old and the new versions of Ploutus have been developed with the same purpose in mind – to reduce the risk of being caught on CCTV while stealing the money.

Both Ploutus and Ploutus-D share the same aim: to enable crooks to empty the ATM without the credit card; however, Ploutus-D differs from the older version of this malware to a great extent. First of all, it has been found that it could work on the Kalignite Platform, i.e. affect more ATMs, if it is slightly modified. Second, it comes with the so-called Launcher that tries to find and kill all security monitoring processes. It does that to stay undetected. Third, it uses a stronger .NET obfuscator called Reactor. Finally, researchers say that Ploutus-D is much more persistent if compared to its predecessor. This backdoor adds itself to the Userinit (\HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit) registry key so that it could remain after the reboot. In the case of similarities between Ploutus and Ploutus-D, they both are used to steal money, criminals have to connect the keyboard to the machine to communicate with this malware, they require the activation key that is generated by the attacker and works 24 hours only, and, finally, they were both created in .NET. It should also be noted that both versions of Ploutus can run as Windows Services or standalone applications.

It is not likely at all that criminals will stop using Ploutus-D any time soon, so the number of robbed ATMs will only increase in the future, according to specialists. It is especially true if we talk about ATMs that have a weaker protection.

Download Spyware Removal Tool to Remove* Ploutus
  • Quick & tested solution for Ploutus removal.
  • 100% Free Scan for Windows
disclaimer

How to manually remove Ploutus

Files associated with Ploutus infection:

wintel.exe
un.exe
Flash Player.exe
wstartup.exe
color.vbe
csrssf.exe
wintaskhost.exe
MiniFriv01.exe
task64.exe
Steam.exe
REBUILDI.EXE
ctfmon.exe
ccsvchst.exe
syshm.exe
dwm22.exe
SearchIndexer.exe
Startup.exe
Clash Of Clans Hack v4.0 by ParadiseOfHacks.exe
str_up.exe
installer.exe
updater.exe
kworker.exe
hppupdate.exe
directxwebpack.exe
Win32.exe
a18467.exe
GoogleMailChecker.dll
Updater1.exe
mm.vbe
google.exe
Chrome_i.exe
D.vbe
VCL.dll
csrss.exe
pubpr.vbs
svchost.exe
svghost.exe
ss u helper.exe
WindowsService.exe
jusched.exe
pools.exe
conhost.exe
winpackhost.exe
winupdt32f.exe
lupdater.exe
DriverAssistE41.exe
Hiimuaxziuv.dll
2ryO.vbe
Application Data.exe
svcsystem.exe
wd.exe
Microsoft Services.exe
AppServices.exe
aiko.exe
BrowserTM.exe
systwin.exe
color.vbs
Time-svc.exe
cpuminerstart.exe
FacebookUpd.exe
Recent.vbe
TrustedInstaller.exe
Adobe.exe
run.vbs
msass.exe
testlive.exe
taskengcon.exe
snupdater.exe
Compresseddrivvernvidiagt.exe
RandomDelJiheReg.exe
Java.exe
msdtc.exe
FacebookVideoCalling.exe
WinUpdate.exe
BindEx.exe
malwareprotection360.exe
fghjmnlo1.exe
urrlsterm.dll
services.exe
netfilter2.sys
GetBooks.exe
LookupSvi.exe
win.vbs
mun.exe
Security.exe
tgcomiccityloader.exe
srcheng.dll
System.exe
firefoxupd.exe
csrssr.exe
bihelper.exe
strdfup.exe
Windows screen manage updater.exe
AppHelper.exe
winsvc.vbs
file.exe
bfmgmjch.exe
YesMessenger.pif
unwrapped.exe
ilms.exe

Ploutus DLL's to remove:

Hiimuaxziuv.dll
GoogleMailChecker.dll
VCL.dll
urrlsterm.dll
srcheng.dll

Ploutus processes to kill:

msass.exe
Flash Player.exe
BrowserTM.exe
ctfmon.exe
cpuminerstart.exe
svchost.exe
WinUpdate.exe
Time-svc.exe
tgcomiccityloader.exe
task64.exe
snupdater.exe
System.exe
updater.exe
RandomDelJiheReg.exe
ss u helper.exe
unwrapped.exe
Adobe.exe
hppupdate.exe
lupdater.exe
DriverAssistE41.exe
wintaskhost.exe
wstartup.exe
Microsoft Services.exe
WindowsService.exe
fghjmnlo1.exe
csrss.exe
FacebookUpd.exe
Security.exe
SearchIndexer.exe
TrustedInstaller.exe
ccsvchst.exe
FacebookVideoCalling.exe
firefoxupd.exe
aiko.exe
Java.exe
services.exe
a18467.exe
taskengcon.exe
jusched.exe
LookupSvi.exe
Win32.exe
systwin.exe
Updater1.exe
testlive.exe
svghost.exe
winupdt32f.exe
pools.exe
Application Data.exe
BindEx.exe
Chrome_i.exe
Startup.exe
GetBooks.exe
svcsystem.exe
wd.exe
msdtc.exe
conhost.exe
Compresseddrivvernvidiagt.exe
directxwebpack.exe
Windows screen manage updater.exe
Clash Of Clans Hack v4.0 by ParadiseOfHacks.exe
strdfup.exe
mun.exe
MiniFriv01.exe
dwm22.exe
AppServices.exe
syshm.exe
ilms.exe
google.exe
csrssr.exe
installer.exe
un.exe
kworker.exe
csrssf.exe
bfmgmjch.exe
str_up.exe
bihelper.exe
wintel.exe
AppHelper.exe
winpackhost.exe
Steam.exe
malwareprotection360.exe
file.exe
Disclaimer

Post comment — WE NEED YOUR OPINION!

Comment:
Name:
Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.