Ploutus

Ploutus is a threat infection that is used to gather money from Automatic Teller Machines or ATMs. Using Ploutus, con artists can force an ATM to dispense cash with a simple keystroke. Ploutus first appeared in 2013. There are numerous variants in the Ploutus family of ATM threats. The first variant of Ploutus allowed con artists to connect a keyboard to an infected ATM and withdraw money. A variant of Ploutus released in 2014 allowed con artists to collect money from an ATM by sending an SMS message and carry out remote attacks. The newest version of Ploutus was first observed in November 2016.

Analyzing the Newest Version of Ploutus

PC security researchers obtained the newest version of Ploutus' after a copy was uploaded to VirusTotal, an online threat scanner that may be used by threat creators to test whether a new threat can bypass detection. The newest version of Ploutus has received the name 'Ploutus-D' because it seems to be designed to target Diebold ATMs. However, only small modifications are required to allow Ploutus to target Kalignite ATMs, meaning that it is possible that various versions of the most recent Ploutus variant exist currently.

The Ploutus attack is very similar to previous versions of this threat, requiring con artists to access the ATM through a keyboard. Ploutus will be effective against ATMs using Windows variants, including Windows XP, 7, 8, and 10. After the keyboard is connected to the infected ATM, the con artists can use a command line to control the ATM using different combinations of function keys, such as F1, F2 or F3. Pressing F3 forces the affected ATM to dispense cash.

The New Features of Ploutus-D

The following are some of the features that appeared in Ploutus-D that had not been observed in previous variants of this threat:

• Ploutus can target Kalignite ATMs.
• Ploutus can affect ATMs using Windows XP, 10, 8, and 10.
• Ploutus can be used to take control over Diebold ATMs.
• Ploutus uses a different Graphic User Interface than its predecessors.
• Ploutus is equipped with a launcher that stops security measures on the targeted ATM.
• Ploutus features a strong .NET obfuscation method not seen in previous versions known as Reactor.

There are several things that Ploutus-D has in common with previous versions of Ploutus. Ploutus allows con artists to get cash from an ATM without requiring a card. Ploutus requires the use of an external keyboard, while many ATM threats allow attackers to use the ATM's numerical keypad. Each Ploutus attack generates an activation code, which expires after one day. Ploutus is created using .NET and can run either as a Windows Service or as an independent application.

Additional Information Regarding Ploutus and Ploutus-D

The newest version of Ploutus has only been observed in attacks in Latin America, although PC security researchers predict that attacks involving this threat may start to appear in the United States and Canada at any time. Unfortunately, the ability to attack the Kalignite ATM platform makes Ploutus quite threatening, since this is a platform that is very common around the world. Some important information about Ploutus-D is listed below:

• Ploutus-D was first observed in November 2016.
• Ploutus-D is not designed to collect card information and, in fact, does not require a card to operate.
• Ploutus-D is already being used in attacks, although mainly in Latin America.
• Although Ploutus-D is designed to attack Diebold ATMs primarily, it is simple to adapt it to attack Kalignite ATMs.
• Installing and operating Ploutus requires physical access to the ATM and its ports, meaning that physical security and properly placing and monitoring ATMs is still one of the most important aspects of ensuring that these devices stay secure and safe from threat like Ploutus.