ploutos and ploutus - kaspersky labgo.kaspersky.com/rs/kaspersky1/images/ploutos_and_ploutus.pdf ·...
TRANSCRIPT
2 TLP: Green
Table of contents
Executive Summary ........................................................................................................................... 3 Analysis ................................................................................................................................................... 4
Malware in ATMs ...................................................................................................................... 4 Campaign details ....................................................................................................................... 5 First version: Ploutos .............................................................................................................. 6 New version: Ploutus ............................................................................................................... 8
Attribution ..................................................................................................................................... 10 Conclusions ......................................................................................................................................... 11 Appendix 1: Technical details ..................................................................................................... 12 Ploutus: Old version ................................................................................................................... 12 Ploutos: New version ................................................................................................................. 14
3 TLP: Green
Executive Summary This document analyzes the Ploutus/Ploutos malware, designed to steal money directly from ATM machines and originally detected in Mexico in September 2013 by Kaspersky Lab’s technology partner SafenSoft. One month later a second version of the malware was discovered. One of the main differences in the new sample was that it is translated to English (the first version was in Spanish). That may be a clear indicator that the gang behind it plans to extend the campaign. In this document we analyze all the detected versions of the malware, focusing on the new one. We provide some background information about ATM attacks too. Kaspersky Lab detects Ploutus (first version) as Trojan-‐Banker.MSIL.Atmer.a and Ploutos (second version) as Trojan-‐Banker.MSIL.Atmer.b.
Contact information For any inquire please refer to [email protected]
4 TLP: Green
Analysis This section provides background information about malware found in ATMs, describes the operational details of the Mexican campaign where the malware was originally detected, and describes the main features of both the first and second versions of the malware.
Malware in ATMs The first malware for ATMs, detected by Kaspersky Lab as Backdoor.Win32.Skimer, was publicly disclosed in 17 March 2009. Previously other attacks on ATMs took place, but mostly through the use of skimmers or social engineering (placing an ATM controlled by criminals in a public space and waiting for victims to use it). This malware was discovered in several Diebold ATMs running a Windows-‐based operating system, affecting at least three banks in Russia. The ATMs were physically based in Moscow and Saint Petersburg. This malware used some undocumented functions to collect and print all card details of cards inserted in the infected ATM. Also, it was able to open cash cassettes using a master card command. It is not clear how the attackers were able to plant this malware inside the affected ATMs. Gang members involved in the infection of the ATMs were arrested in Saint Petersburg in June 2009. However, the author of Backdoor.Win32.Skimmer is still free and continues creating malware for Diebolds ATMs in Eastern Europe (Ukraine, Macedonia, etc.). In Kaspersky Lab, we have 29 different samples of this malware in our collection, the last one added on October 19th 2013. This new version does not pay attention to cards and only interacts with the cash cassettes. There was a second case discovered in Brazil during late December 2010 (detected as Trojan-‐Spy.Win32.SPSniffer). This malware used third-‐party utilities (such as http://www.pcworld.com/product/954711/tviccommspy.html) to get access to card data transferred via standard COM and USB ports. This way it was able to collect PIN numbers in outdated ATMs using PIN pads versions without strong cryptographic protection. This third-‐party approach could be used for attacking any kind of ATM based on Windows without taking into account any peculiarities from the manufacturer. This malware only targets card data.
5 TLP: Green
At the time of writing, there are 37 different samples of this family in Kaspersky Lab´s collection, the last one being added the 10th of July of 2013. This suggests that this malware is under active development. Another remarkable research was conducted by Barnaby Jack and presented at Black Hat 2010. He was able to hack ATMs from Tranax and Triton, getting complete control of the device and being able to cash out. However no malware exploiting these vulnerabilities has been found in the wild. Ploutus/Ploutos is the third malware targeting ATMs, in this case affecting only NCR devices.
Campaign details According to external researchers the malware was uploaded to ATMs using their CD-‐ROMs, apparently by picking a lock. The Mexican police arrested 2 Venezuelan suspects based in Mexico and related to this case. The arrest was made last August 24th , before the information about the malware was made public
Figure 1: Arrested suspects
The suspects were arrested while stealing 426,000 pesos from an ATM. The employees in the store where the ATM was, observed how they were able to get the money without using any card. They were speaking over the phone while doing this. It is not the first time that an ATM Venezuelan gang operates in Mexico, there are references from 2006, in this case use social engineering. The number of ATM affected and the amount of stolen money remains unknown.
6 TLP: Green
First version: Ploutos The first version of “Ploutus” was detected in Mexico in September 2013. Apparently the malware was installed by getting physical access to the ATM CD-‐ROM. The malware’s main functionality is to cash out money from the cassette. It also has a service/project installer, performs keyboard hooking and, interestingly, has a graphical user interface listing the main features:
Figure 2: Ploutos GUI
The interface is in Spanish. Below is a translation of the different options presented to the user: Generar ID: Generate ID Activar ATM: Activate ATM Dispensar: Cash out Salir: Exit Ploutos installs a Windows service installer that makes sure it’s available on demand for the criminals. The “NCRDRVPS” service is created and starts every time the ATM is booted.
7 TLP: Green
Access to the GUI is provided by pressing a specific sequence of function keys: “F8F1F7F3F5F4F2”. Unusually, this malware has its own security measures: an 8-‐character activation code is needed to start interacting with the malware. This code is based on the current date. The following commands are supported, which are the same as those offered through the graphical interface:
• 12340000: A test command which just prints the current date.
• 12343570: Prints the generated ATM ID.
• 12343571 + 8 digits: The activation code. The activation date and MD5
hash of the encoded activation code are stored in the configuration file.
• 12343572 + bill index + number of bills: Dispenses the specified money.
• F8F1F7F3F5F4F2: Shows the GUI.
The malware is written in C# with .NET Famework 2.0, so it´s able to run in any Windows operating system with Frameworks installed. The interaction with the ATM is done through the use of the .NET library provided by NCR. We don´t know for sure how “public” this library is, but it is known that in some forums this information was sold.
8 TLP: Green
New version: Ploutus A month after the discovery of Ploutos, another version of the malware, renamed as Ploutos, was found; and, interestingly enough, the new version is translated to English. As with the previous sample, this new one also uses obfuscation to protect itself, in this case using a widely known Microsoft’s .NET framework packer and obfuscator utility called “Confuser” (version 1.9). Using the latest version of this tool shows that the sample was created recently. This new version of Ploutos was re-‐engineered with a modular architecture model in mind, so we can assume that this was done on purpose to create a more stable and robust version of the malware. The graphical user interface is not present anymore and the interaction with the malware is done through the ATM’s keypad. A graphical comparison on the classes available within the two samples found is shown below:
NEW PLOUTOS OLD PLOUTUS
One of the most notable differences in the new version is the lack of GUI, but this is a logical step to reduce the risk of being detected while operating in the bank premises. The new version allows dispensing of money by just pressing some keys on the standard keypad, as a regular user would do.
9 TLP: Green
Another main difference is that many of the Spanish words found within the code were removed or changed to their English equivalents. Still, a lot of misspelling errors can be found, which makes us suspicious about the Spanish-‐speaking origin of this sample.
The commands are sent to the malware through a special sequence in the ATM´s keypad interface. It uses the last two digits, of a sixteen digit sequence entered, for the instruction that the attacker wants to perform. Ploutus generates a 16-‐bit long random ID for the ATM, and the last 2 bits are the opcodes corresponding to the following actions:
-‐ AutoKill: Kills any Ploutus running process. -‐ AutoCheck: Makes sure everything is ready for cashing-‐out. -‐ MoneyOut: Cashes-‐out money from the ATM and prints the configuration.
Another difference is how the money is cashed-‐out. In this version it is not possible to specify the amount of money to steal; it dispenses money based on the most available bills. Also, it only allows cashing-‐out during the first 24 hours since the installation of the malware.
10 TLP: Green
Attribution PLOUTOS (or Plutus) was the god of wealth. He was at first associated purely with the bounty of rich harvests. Later he came to represent wealth in more general terms. He was blinded by Zeus so he would distribute wealth indiscriminately and without favor towards the good or the virtuous. It is possible to see in the GUI that the malware is written in Spanish. Also the bad English translation and the geographical location of the infected machines points in the same direction.
There is not much text to work with, but “Dispense” is a term much more often used in LATAM than in Spain. The use of the .NET NCR library, and the needed physical access to the machine, may point to this being an insider job. However, there are some forums, especially popular in LATAM, where all kind of software and manuals for these ATMs is exchanged. Physical access to the machines apparently is not a problem. We can see in some forums from LATAM how the physical hacking of different ATM models is discussed. Apparently it is quite popular for attackers to have physical access to the ATMs, from which they are able to retrieve the track´s logs, but they cannot decipher the content.
The most worrisome aspect of this is that some of them claim to be ATM technicians.
11 TLP: Green
Conclusions This malware is clear proof of how attackers are moving to new targets -‐ directly to the root of money. Even when physical access was needed, they were not afraid of implementing such a campaign – and worse, to expand it. Apparently it´s not a big problem to gather the information needed for implementing such malware, and for physically installing it in a target ATM. According to some information retrieved from forums, this kind of fraud is discussed quite openly and many ATM operators/technicians are interested in obtaining more information on how to commit it. This is the perfect soil for a criminal gang to emerge and grow. The main feature in both versions is to cash-‐out an infected ATM. The differences are quite minimal, the most notable being the translation into English of the new version. Both versions use a .NET library provided by NCR to interact with their hardware. We don´t know if any vendor other than NCR uses this library as well: if so, this may make them vulnreable to Ploutus. This version is more silent than the previous one, but is still functional. The infection vector is still physical. The presence of security and anti-‐virus software in the ATM and the (logical and physical) hardening of the device should be considered vital for avoiding this kind of threat. The success of campaigns like this one could determine the future popularity of this kind of attack in the near future.
12 TLP: Green
Appendix 1: Technical details
Ploutus: Old version MD5: 488acf3e6ba215edef77fd900e6eb33b MD5: b9f5bd514485fb06da39beff051b9fdc Unusually this malware has its own security measures – an 8-‐character activation code is needed to start working with the malware. This code is based on the current date.
The payload is packed and stored into a loader as a .NET resource. Both are PE EXE files and both are written in C# with .NET Framework 2.0. The loader decrypts its resource and loads it via Reflection. The payload is installed as a Windows service named “NCRDRVPS”. After successful installation the Trojan starts to monitor the keyboard input for commands using the SetWindowsHookEx API with WH_KEYBOARD_LL.
13 TLP: Green
The following commands are supported:
• 12340000: A test command which just prints the current date.
• 12343570: Prints the generated ATM ID.
• 12343571 + 8 digits: The activation code. The activation date and MD5
hash of the encoded activation code are stored in the configuration file.
• 12343572 + bill index + number of bills: Dispenses the specified money.
• F8F1F7F3F5F4F2 – Shows the GUI.
The graphical interface provides the same features. The malware uses the .NET library, which is presumably made by NCR with public (in terms of .NET) interfaces required to work with ATM hardware. These interfaces include, for example, XFSCashDispenserClass -‐ used to operate the dispenser. This deals with a wide range of events and the Trojan handles almost all of them just by printing the corresponding messages. One exception is AvailabilityChanged. This is used to get information about the remaining bills in the machine’s cassettes (1 through 4; via the IXFSCassette2 interface) and to dispense the requested amount of money via SyncDispense. As shown above, hackers can select the number and nominal value of bills as they wish.
14 TLP: Green
Ploutos: New version MD5: eca2ca8ecf63816d9a157888e3d871dc The second version of the Trojan has some differences, starting with the new modular structure and the translation to English: § The dispatcher and listener were made into separate modules
§ The command format was changed
• The command «2836957412536985» is used to generate a new
ATM´s ID. It is stored in the configuration file.
• New commands are now based on a 16-‐symbol ATM ID. The last 2 digits specify the command. The following ones are supported:
§ 99 – Terminate the Trojan process § 54 – Activate § 31 – Dispense money. With this version of the Trojan a
hacker can’t specify how much money to dispense. A more complex algorithm is used instead. The malware will check all available cassettes and empty the first one which has 40 or more bills. After this the malware will display the total amount of money remaining in the ATM.
Figure 3: Displaying of ATM´s status
After an initial dependency analysis we could still find the presence of the NCR.APTRA.AXFS library. By offering a wide array of methods that can be used to interact with the ATM equipment directly, this DLL makes it easy for the malware authors to create high-‐level code that can be modified quite quickly.
15 TLP: Green
Most of the languages available within the .NET framework are aimed at providing the developers with a rapid way to create prototypes and applications. In this case, a C# application that uses many of the .NET cryptography namespaces and a third-‐party interface for ATM interaction provides a great way to keep the code easily updatable. This .NET malware was compiled used the 2.0.50727 version of the framework. Without any modifications to the file we were able to check that the obfuscation process has added some cryptic resources/modules to the file. In addition, there’s also a “___.netmodule” file which is referenced but not included directly. This means it’s only created in memory when executing the malware. Once the sample is unpacked we can see some interesting strings:
Figure 4: Decrypted strings
The application begins by creating a Panel object and doing an Application.Run on that newly-‐created object instance. The Panel_Load method is one of the most important sections of code due to the fact that, depending on the supplied command line arguments, the malware will decide what actions to perform.
16 TLP: Green
The first instructions found within this method are meant to hide the Panel, in order to make it invisible to the user. After that the command line arguments are parsed and the operation instructed by the criminal is performed. Ploutus uses the last two digits of a sixteen digit sequence, entered via the ATM’s keypad interface, to determine which operation code has been sent.
-‐ op code 99 : The malware will stop its execution by running the “taskkill” command available on all Windows platforms. Ploutus also checks for other running instances so as to avoid having more than one sample executing at the same time.
cmd.exe /C TASKKILL /F /IM Ploutos.exe
17 TLP: Green
The ReceiveTrack method recognizes more op codes:
The argument used previously to invoke Ploutos from the command line is passed on to this method as a string parameter. We can find two more special op codes being recognized here (54 and 31) and a special hardcoded “magic” string which is used to generate a new ATM ID.
-‐ op code 54: Ploutos will perform a simple check to verify that the user has access to the malware’s control functionality and then prepare everything for the money dispensing process. We can infer that this mechanism was designed this way to protect the malware from being used by someone else other than the criminals who installed it on the ATM machine. The values used to verify access are stored in a configuration file.
-‐ Op code 31: The “show me the money” code, which calls the DispeseV method that is in charge of actually handing out the money. A nice detail is that we can also see that a PrintV method is called in order to get the ATM’s configuration in printed format. There is a time span structure used to calculate the time that has passed since the initial infection (“DATAB”). After “86400” seconds, or 24 hours, it is not possible to extract any further money from the infected ATM.
18 TLP: Green
The “magic string” can be used to generate a new ATM ID. When the criminal enters “2836957412536985” through the keypad, the following code snippet will be executed. By using some random numbers and the current date, it will generate a new ID which will be used to communicate with the ATM interface via the Ploutus malware. This number will be stored in the configuration file in the “DATAA” section. The value for “DATAC” is cleared at the same time.
As we determined earlier, the last two digits of the ATM ID are replaced by the op code we want to execute, so it makes sense that one of the first operations applied in the ATM is the ID generation process. After this, Ploutos will be able to recognize and validate the instructions which are sent through the command interface. Ploutos includes a method to verify that no other instances are running at the same time, through the presence of a Mutex conveniently named “Ploutos”. There is a simple method used to read the configuration values from a file called “Config.ini”. From what we have researched so far, the values stored in this file are “DATAA”, “DATAB” and “DATAC” used mainly to store the ATM’s ID, infection time and activation code values.
19 TLP: Green
In this new variant, there’s still a logging method present, but we couldn’t find any references in the code where it was being used. Apparently it is now obsolete, but the creators of the malware forgot to remove it. The Dispense class uses functionality provided by the NCS library that made the programming of this malware a much simpler task. Interacting with the ATM via the entire exposed methods guarantees that the malware code and the ATM interface code are sufficiently separated, giving the authors the opportunity to rapidly modify the sources and generate a new variant of this threat when needed.