Jackpotting attacks against ATMs are highly profitable, and often involve both logical and physical attack vectors. How can banks and ATM manufacturers safeguard their systems against such attacks? One of the most notorious malware families involved in modern ATM attacks is Ploutus.D, recently observed for the first time in the US, as Brian Krebs reported on January 27th.

Recent ATM Attacks

The use of Ploutus for ATM attacks isn’t new. Symantec described attacks on ATMs in Mexico, which used an early variant of this malware, as far back as 2013. FireEye published a detailed report about the updated variant, dubbed Ploutus.D, in 2017. The malicious program is designed to integrate with ATM software on the compromised machine to dispense cash. Another example of jackpotting was documented by Kaspersky in 2017. This attack incorporated “fileless” properties, which the adversaries devised to evade security tools in the bank’s environment.

To achieve jackpotting, the criminal installs the malware sample on the ATM. Sometimes this can be accomplished by gaining physical access to the ATM system, sometimes by communicating with it over the compromised network. Then, the crooks issue a command to the compromised ATM (sometimes by SMS) to begin dispensing cash, which is collected by a money mule.

This attack is complex, as it requires the criminals to know the implementation of ATM functionality, and quite risky (a least for the money mules). However, when executed successfully the reward is cash, and a lot of it.



Malware Vaccination Defenses

The attack tools used to implement jackpotting are designed to get past security tools such as antivirus solutions. However, there are other ways to strengthen the security posture of ATMs to resist such attacks. For instance, Ploutus.D malware employed a mutex-based infection marker to avoid infecting the same system more than once, according to the FireEye report about this sample. Minerva Labs customers using the Anti-Evasion Platform can vaccinate their ATMs against Ploutus.D variants that use this marker by simulating its presence on the system:

When the corresponding malware sample attempts to run on the system, it will encounter the Minerva-simulated infection marker and terminate itself. In addition to preventing the infection, Minerva will notify the solution administrator about the event:

Minerva’s capability to simulate infection markers rapidly and in a scalable way allows organizations to distribute vaccines in a manner that would be impractical otherwise. This, and other defenses provided by Minerva’s Anti-Evasion Platform can be deployed quickly and effectively without having any impact on the normal operation of the sensitive ATM environment.

Additional ATM Malware Safeguards

Malware vaccination isn’t the only tool in Minerva’s arsenal when it comes to protecting ATMs. Minerva Labs’ Critical Asset Protection allows users to conceal sensitive items in the machine from malware. This can be used, for example, to hide ATM-related DLLs that malicious software seeks in order to dispense cash. Once the malicious program tries to locate the DLLs, it will perceive them as non-existent or inaccessible. In this case, Minerva will lock the attack and alert the organization about it, allowing the incident response team to quickly react to the prevented attack.

Minerva Labs’ Anti-Evasion Platform employs additional innovative countermeasures to automatically prevent infections from malware designed to bypass other security controls. These include techniques for “breaking” malware that attempts to employ memory injection techniques or possesses other malicious “fileless” characteristics.

To learn more about Minerva’s Anti-Evasion Platform and to discuss how it can strengthen the security posture of your ATMs and other endpoints, contact us.