The Spanish-language Ploutus ATM malware has been updated with English-language support.
The binary name was also altered to ‘Ploutus.exe' from ‘PloutusService.exe,' and it has been changed from a standalone program to a modular architecture, Symantec Security Response researcher Satnam Narang.
Otherwise, the mechanism for crooks is mostly the same. Essentially, the malware is transferred into the ATM through the CD-ROM drive, attackers send a 16-digit command code using the ATM keypad, a dispatcher sends a 33-digit instruction to Ploutus through the command line, and then a timer is scheduled to dispense funds.
The malware will only spit out money within the first 24 hours of activation, Narang said.
Aside from placing great physical protections on ATMs, so as to avoid allowing criminals access to the money machine's CD-ROM drive, to defend against Ploutus Symantec has offered up some additional best practices for owners.
First, configure the BIOS boot order to only boot from the hard disk, and not a CD, DVD or USB, Narang said. He added that ATM vendors should secure the BIOS with a password so that attackers cannot reconfigure the boot options, consider removing hardware that allows the BIOS to read and start from the boot, and ensure that AV signatures and security solutions are up to date.
“This discovery underlines the increasing level of cooperation between traditional physical-world criminals with hackers and cyber criminals,” Narang said, adding that ATMs in off-site locations, such as malls and convenience stores, are more likely at risk. “With the ever increasing use of technology in all aspects of security, traditional criminals are realizing that to carry out successful heists, they now require another set of skills that wasn't required in the past.”
Russian security firm Safensoft discovered late in September that Ploutus was infecting ATMs in Mexico, and not long after information security company Trustwave released its own findings on the malware.