Ploutus
Ploutus is a family of Trojans that force ATMs to eject bills, allowing a physically present con artist to misappropriate from the machine. New versions of Ploutus include improved anti-security and compatibility features, but mandate a strong physical element that business entities can counter with appropriate security monitoring protocols. Since this Trojan is a sophisticated and frequently updated threat, update your anti-malware protection regularly to help it detect and remove Ploutus when it's necessary.
A Program Embodying Four Years' Worth of Greed
First spotted in its earliest form back in 2013, Ploutus is a Trojan that receives updates with improvements to its payload periodically, which it always bases on compromising the money supply of Automated Teller Machines. Most versions of Ploutus, including the latest (Ploutus-D, named for its targeting the Diebold brand) require keyboard input by the thief. However, other variants of the Trojan also use SMS messages for accomplishing the same attacks.
After gaining access to the ATM, local threat actors install Ploutus either as a stand-alone application or a Windows Service. A temporary, one-day-only code given by the threat actor administrating the campaign activates Ploutus, keying off of such details as the date of the attack. The con artists then issue commands for forcing the dispensing of money without requiring an ATM card.
Other features that malware researchers find improved from old versions of Ploutus include:
- The new version of Ploutus attacks the Diebold brand of ATMs uniquely, although it also has a more generalized compatibility with Kalignite and most versions of Windows. Trivial updates could help it target other ATM brands matching those prerequisites.
- The launcher for Ploutus includes attacks that analyze any active memory processes for ones matching the names of various security solutions that could interfere with the Trojan. It can terminate such processes automatically.
- Although previous versions of Ploutus obfuscated their code with .NET Confuser, this self-defense was judged inadequate apparently. Its programmers have updated Ploutus with Reactor, a more advanced form of obfuscation that protects the program's code from analysis or reverse-engineering efforts.
Stopping Con Artists from Hunt and Pecking Their Way to Riches
While the physical access Ploutus requires always poses a high visibility problem for money mules, these people can mitigate the risk of getting caught by minimizing how much time they spend extracting money. Cash extraction is possible through a short series of key commands (which malware experts note as being via the F-row keys exclusively). The Ploutus also takes steps meant for guaranteeing a quick and easy installation, such as dropping real KAL software components for eliminating any possibility of dependency errors.
Businesses with ATMs on their premises should continue emphasizing vision-based security protocols, such as camera monitoring, and inform all employees of the keyboard requirement of this Trojan family. Since Ploutus, like most threats, can persist throughout reboots, con artists can install it in one visit and return later to finish extracting money, if necessary. Update your anti-malware products to help them detect and delete Ploutus, rather than having the Trojan's launcher terminate them.
Nothing is truly free, and as long as ATM vendors continue using thoroughly-explored platforms like Windows and Kalignite, Ploutus and others of its kind will continue being problematic.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.