New Variant of Ploutus ATM Malware Is Badder Than Ever

There is a new strain of the Ploutus ATM malware that has been spotted by security researchers at FireEye. This new variant, called Ploutus-D, only currently targets ATMs manufactured by Diebold, but this could expand quite easily. FireEye researchers warn that just a few simple code changes could make this malware effective on ATMs manufactured by 40 different vendors in 80 countries.


The purpose of the malware is to empty an ATM without the need for an ATM card. Compared to previous versions of the malware, Ploutus-D has upgraded the cash-dispensing component of the malware to make it even more threatening and has secured the software package with Reactor, making it exceedingly difficult for security researchers to reverse-engineer it and develop preventative measures.


The installation installs legit KAL ATM software alongside the exploit, ensuring that the software versions match those needed for the exploit to work. This reveals some information about the authors of the malware because it means that they have access to this software, either through resellers, stealing ATMs, or perhaps being a company insider.


This malware runs on ATMs operating on all modern versions of Microsoft’s Windows operating system. It can be run straight as a stand-alone app or booted as a Windows service started by a launcher. Hackers use a GUI to enter a set of commands and an 8-digit code generated based on the ATM’s unique ID and the current time of the attack. Once everything is authorized, a simple “F3” keypress will dispense the money.


This malware package is likely to keep security professionals on their toes, as reverse-engineering of this malware will need to be completed as quickly as possible to prevent a potential chain of ATM heists. While there is some risk of the hacker being caught by cameras while the money dispenses, the operation can carry out in minutes, so it’s likely that law-enforcement professionals would not have the time to respond even if an exploit was detected.

Leave a Reply

Your email address will not be published. Required fields are marked *


Hi, guest!