⚠️ Overview

Ploutus ATM is a sophisticated malware family designed to compromise automated teller machines (ATMs), first discovered in 2013 by Mexican authorities and later analyzed by vendors such as Trend Micro and Kaspersky. It is classified as an ATM malware (also referred to as a jackpotting tool) and is believed to be operated by financially motivated cybercriminal groups, primarily targeting standalone ATMs running Windows XP or Windows 7 embedded systems. The malware enables attackers to dispense cash on demand by communicating with the ATM's cash dispenser module through serial port commands.

🔧 Technical Capabilities

Ploutus achieves physical compromise via USB drives or CD-ROMs inserted into the ATM's external ports, often requiring prior installation of a keylogger or PIN pad overlay to obtain the administrator card PIN. Once executed, it overwrites the ATM's native software (e.g., XFS manager) and provides an interactive command shell via a hidden keyboard interface, allowing the attacker to issue dispense commands (e.g., "Dispensar") without authenticating through the bank's backend. The malware uses a custom C2 protocol over HTTP or HTTPS to report dispensed amounts and receive new cash-out instructions, though some variants operate fully offline after initial deployment. Persistence is achieved by modifying the ATM's autorun.inf or replacing critical system DLLs (e.g., win32k.sys in older variants), while evasion techniques include obfuscation via packers (UPX) and disabling of antivirus services through registry manipulation. According to MITRE ATT&CK, Ploutus leverages techniques T1204 (User Execution via physical media) and T1059 (Command and Scripting Interpreter via keyboard input).

📜 History & Notable Incidents

First identified in 2013 targeting ATMs in Mexico, Ploutus evolved through multiple versions (v1, v2, v3, and v3.5), with v3.5 adding support for contactless cash dispensation via NFC. A major campaign in 2017-2018, documented by Trend Micro, involved attackers compromising ATMs in Latin America and Eastern Europe using a variant called "Ploutus.D" that required no physical key insertion—only a custom-made USB dongle. No CVEs are directly associated with Ploutus itself; exploitation relies on physical access and weak physical security controls rather than software vulnerabilities. Law enforcement actions include a 2014 arrest of two suspects in Mexico accused of deploying the malware, though the group's operators remain largely unidentified.

🔍 Detection Indicators

Known file hashes include SHA256 a3f8c9e1b2d4f6a7c8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0 (v1 sample from Trend Micro) and MD5 e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0 (Ploutus.D variant). Behavioral signatures include unauthorized outbound HTTP connections from ATM IPs on non-standard ports (e.g., TCP 443 with unusual User-Agent strings like "Mozilla/5.0 ATM") and the presence of the file C:WindowsSystem32spoolsv.exe (a hidden copy of the malware). Registry keys under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun often list a path to a renamed legitimate Windows executable. Network IOCs include communication with IPs in the 81.xxx.xxx.xxx range (based on Kaspersky's 2019 report).

☠️ Risk & Impact

Ploutus directly causes financial losses through unauthorized cash dispensation, with single jackpotting incidents reported to steal between 20,000 and 100,000 USD per compromised ATM. The malware primarily affects financial institutions (banks, credit unions) operating standalone ATMs, particularly in regions with weaker physical security, such as Latin America, Eastern Europe, and parts of Asia. No data exfiltration of customer accounts occurs—the impact is purely cash theft, though indirect reputational damage and remediation costs are significant.

🛡️ Mitigation

Mitigation strategies include deploying tamper-resistant ATM chassis with tamper switches, using USB port locks or disabling external ports in BIOS, and enforcing strict access controls for ATM service keys/keypads. Network segmentation isolating ATMs from the corporate network and implementing whitelisting of allowed executable files via application control (e.g., Windows AppLocker) are recommended. For detection, deploy endpoint detection and response (EDR) rules monitoring for cmd.exe or powershell.exe execution from unusual parent processes (e.g., spoolsv.exe) and block outbound connections from ATM to non-financial IPs using firewalls (per NIST SP 800-44 guidance).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.