- System crashes
- Connects to the internet without permission
- Installs itself without permissions
- Can't be uninstalled via Control Panel
Ploutus is not a new malicious application. It was first detected in 2013 when it was employed by criminals to steal money from ATMs in Mexico. This malware allows bad people to make ATMs spew out money on command, so it is not surprising that thousands of money have already been stolen with its help. At the time of writing, Ploutus is no longer used widely, but the situation might, unfortunately, quickly change because a new version of this dangerous malware has been released. Specialists detected it in November, 2016, but they needed some time to research it and understand that malware they spotted on VirusTotal is not a new threat, but a variant of Ploutus. Since this new version differs from the old one to a great extent, it has been given a new name – Ploutus-D. Let’s find out what are the differences between these two versions.
Ploutus-D has been given this name not without reason. Researchers who have carried out research to find out more about this new version of Ploutus have revealed that Ploutus-D specifically targets ATMs that belong to the Diebold vendor. Unfortunately, later research has shown that other devices might be in danger too. It is because the Ploutus-D malware could also target ATM’s of other vendors too if it is slightly modified. More specifically, it should be able to work on machines whose cash dispensers are built on Kalignite Platform too. Since this platform is used by 40 different ATM vendors in 80 countries, hundreds of thousands of money could be stolen using this backdoor. The next paragraph is going to provide more information about the way this malicious application works.
Security specialists say that criminals first have to manage to connect the keyboard to the ATM so that they could use Ploutus-D to steal money from it. In order to do that, they have to find unsecured ATM ports (USB or PS/2). It is the only way to communicate with the Launcher and thus control malicious software and the ATM. Before going to rob an ATM, crooks have to find out first what type of operating system is running on it because Ploutus-D effectively works on machines running on Windows 10, 8, 7, and XP only.
Once the keyboard is successfully connected, a command-line interface appears (it should be noted that the GUI interface of Ploutus-D differs from the one older version of this malicious software has). After this interface is displayed, certain commands can be carried out using combinations of F keys, for example, “F8 F4 F5” and “F8 F1 F1.” Users might even enter the amount of money they want an ATM to spew out. Once everything is set up, the button F3 is pressed and criminals hurry to collect their money. Both the old and the new versions of Ploutus have been developed with the same purpose in mind – to reduce the risk of being caught on CCTV while stealing the money.
Both Ploutus and Ploutus-D share the same aim: to enable crooks to empty the ATM without the credit card; however, Ploutus-D differs from the older version of this malware to a great extent. First of all, it has been found that it could work on the Kalignite Platform, i.e. affect more ATMs, if it is slightly modified. Second, it comes with the so-called Launcher that tries to find and kill all security monitoring processes. It does that to stay undetected. Third, it uses a stronger .NET obfuscator called Reactor. Finally, researchers say that Ploutus-D is much more persistent if compared to its predecessor. This backdoor adds itself to the Userinit (\HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit) registry key so that it could remain after the reboot. In the case of similarities between Ploutus and Ploutus-D, they both are used to steal money, criminals have to connect the keyboard to the machine to communicate with this malware, they require the activation key that is generated by the attacker and works 24 hours only, and, finally, they were both created in .NET. It should also be noted that both versions of Ploutus can run as Windows Services or standalone applications.
It is not likely at all that criminals will stop using Ploutus-D any time soon, so the number of robbed ATMs will only increase in the future, according to specialists. It is especially true if we talk about ATMs that have a weaker protection.