FiXS Malware

Cybercriminals have been targeting ATMs in Mexico with a new strain of malware known as FiXS, which allows attackers to dispense cash from the targeted machines. This malware has been used in a series of attacks that began in February 2023.

According to a report by security experts, the tactics used in these attacks are similar to those used in previous attacks by Ploutus, another type of ATM malware that has been targeting Latin American banks since 2013. An updated version of Ploutus, which specifically targets ATMs produced by Brazilian vendor Itautec, has been prevalent across Latin America since 2021.

The FiXS malware is just out and is currently affecting Mexican banks. Once installed on the ATMs, it takes advantage of a suite of protocols and APIs known as CEN XFS, which allows cybercriminals to program the ATMs to dispense cash, either via an external keyboard or by SMS messaging. This process is known as jackpotting. It is noteworthy that this type of attack can cause significant financial losses for both the banks and their customers, as well as raise concerns about the security of ATM networks.

The Attack Chain of the FiXS Malware

One of the main features of the FiXS malware is that it enables the threat actor to dispense cash from the ATM 30 minutes after the machine has been rebooted. However, criminals must have access to the ATM via an external keyboard.

The malware contains metadata in Russian or Cyrillic script, and the attack chain begins with a malware dropper called 'conhost.exe.' This dropper identifies the system's temporary directory and stores the FiXS ATM malware payload there. The embedded malware is then decoded with XOR instruction, with the key being changed in every loop via the decode_XOR_key() function. Finally, the FiXS ATM malware is launched via the 'ShellExecute' Windows API.

The malware uses the CEN XFS APIs to interact with the ATM, which makes it compatible with most Windows-based ATMs with minimal adjustments. Cybercriminals can use an external keyboard to interact with the malware, and the hooking mechanisms intercept the keystrokes. Within a 30-minute window after the ATM reboots, criminals can take advantage of the system's vulnerability and use the external keyboard to 'spit out money' from the ATM.

Researchers are unsure about the initial vector for infection. However, since FiXS uses an external keyboard similar to Ploutus, it also is believed to follow a similar methodology. When it comes to Ploutus, a person with physical access to the teller machine connects an external keyboard to the ATM to initiate the attack.

Jackpotting is Still Popular among Cybercriminal Groups

As ATMs remain a crucial component of the financial system for cash-based economies, malware attacks targeting these devices are still prevalent. Therefore, it is crucial for financial institutions and banks to anticipate potential device compromises and concentrate on optimizing and improving their responses to these types of threats. These attacks have had a significant impact on various regions, including Latin America, Europe, Asia and the United States.

The risks associated with these attacks are particularly high for older ATM models, as they are challenging to repair or replace and rarely use security software to prevent further degradation of their already poor performance.

The European Association for Secure Transactions has reported a total of 202 successful jackpotting attacks (ATM Malware & Logical Attacks) targeting financial institutions in the EU in 2020, resulting in losses of $1.4 million, or around $7,000 per attack, according to a 2022 report by the Federal Reserve Bank of Atlanta.