On the 11th January 2017, the US security firm FireEye published a blogpost about a new malware that they named “Ploutus-D” and described it as “one of the most advanced ATM malware families we’ve seen in the last few years”. As the malware uses some components of KAL’s software platform and targets ATMs, this malware is of significant interest to KAL’s customers as well as to all in the ATM industry. This article is about KAL’s understanding of the malware and our advice to ATM deployers. We would like to thank FireEye for providing KAL with advanced notice of their findings ahead of publication of the blogpost.
The malware has two characteristics that define it:
- It is able to dispense cash from an XFS-compliant ATM cash dispenser, and
- It is able to control when and how much cash is dispensed so that a “money mule” can collect the cash according to remote instructions from a mastermind.
Those in the ATM industry will be aware of the XFS standard and KAL’s implementation of the Kalignite Platform. The malware uses KAL’s software components to implement the cash dispense function via the XFS Service Provider of the dispenser. The FireEye article postulates that KAL’s software components were taken from a stolen ATM. It is not uncommon for ATMs to be stolen in some countries – not just for the cash, but also for analysing and harvesting software components.
Controlling the dispense
There is sophisticated code implemented in the Ploutus malware to control the ATM cash dispenser so that the process used to collect the cash by a “money mule” is under the remote control of a mastermind. This is to ensure that the money mule does not keep the money for himself but instead delivers it to the mastermind before returning to get the next batch of cash from the affected ATM. In order to do this, the malware needs a keyboard or a phone to be connected to the ATM so that the mastermind can enable/disable the dispense process and ensure that the money mule receives the specified amount of cash (and not, for example, have the cash dispensed to an unsuspecting customer using the ATM at that very moment). The amount dispensed is no doubt determined by the mule's own underworld credit rating.
An important aspect on the use of the malware not addressed by FireEye is how the malware is initially installed on the ATM. It appears to KAL that the malware can only be used on ATMs that have no security protections or where the security protection has not been enabled. In order for the malware to be successful, each of the following security protections would need to fail:
- Physical access to the ATM’s PC-Core: the malware requires access to a keyboard port (eg PS/2) and/or access to a USB port. This would require physical access to the location where the ATM is situated - most ATMs have physical barriers that would not make this possible - and to the PC-Core inside the ATM. Again, most ATMs have a physical lock to the ATM cabinet that contains the PC-Core.
- Secondly the malware would need to be installed inside the ATM runtime environment. In order to do this, it would be necessary to have physical access as above, and the USB ports would need to be left unlocked for mass storage devices. Alternatively, the malware would have to be introduced via a sophisticated network attack – but there is no evidence of that. Our best guess is that the malware would have been introduced via an unlocked USB port.
- Finally, the malware would have to install itself and run on the ATM. This would not be possible on ATMs protected with whitelisting technology.
All three of the weaknesses above are necessary before the malware can attack an ATM – any one of the three protections above would stop the malware from being used.
Advice to ATM deployers
Ploutus-D threatens all ATM deployers and not just KAL’s customers. As FireEye states, “legitimate KAL ATM software is dropped into the system along with Ploutus-D…” which means that all XFS-compliant ATMs are at risk from this malware.
The following security precautions are therefore essential on all ATMs to protect from Ploutus-D:
- Physical security to protect access to the PC-Core. The motherboard, USB ports and Keyboard ports should be protected from easy physical access.
- USB mass-storage lockdown. It is essential that USB ports be locked down so that unidentified storage devices cannot be inserted and used.
- Software whitelisting, so that only authorized software is allowed to run in the ATM.
Finally we would add one further requirement:
- The reason that Ploutus-D exists is not just that some ATMs are not properly protected, but also because hard disks can be stolen and legitimate software misused. It is essential that hard disks be secured with whole disk encryption.
Advice to KAL’s customers
It is essential that KAL customers enable the Kalignite Security Lockdown on all ATMs. This contains all of the features listed above but also additional features that help to block other types of malware attacks. Please contact us if you wish to discuss.