Upload
others
View
32
Download
3
Embed Size (px)
Citation preview
Piolin, the First Malware
Jackpotting ATMs in US
Meet Piolin, the first ATM Malware Jackpotting ATMs in US
Background
Ploutus is an ATM Malware discovered back in 20131 that targets ATMs manufactured by NCR in Mexico.
Ploutus gained a lot of media coverage thanks to its capability to be controlled by SMS messages2. It
exhibited other sophistication such as the ability to switch the ATM into supervisor mode in order to
dispense cash. The next variant of Ploutus was seen in South America targeting ATMs manufactured by
Diebold and hence the name, Ploutus-D3, this new variant was able to control the multi-vendor ATM
Software Kalignite (KAL). Here is the description of this software on its website:
“KAL's product suite enables ATM hardware, software and services sourced from multiple vendors to
work together perfectly.”
A perfect target for Ploutus-D since it can run on multiple vendors as well.
Around the same time, another variant of Ploutus-D was identified in Mexico, this time controlling
Diebold’s Agilis Middleware4. Similar to the previous variants, the attackers demonstrated in-depth
knowledge of the internal workings of the ATM Manufacturers’ Middleware. The latest variant offered a
new module that allow the attackers to manage ATMs remotely to setup the malware and issue licenses
to their customers.
Recently in January 2018, according to journalist Krebs, U.S. Secret service quietly alerted financial
institutions that Ploutus-D was discovered jackpotting ATMs in USA5. Analysis of the new variant
revealed that it is a modified copy of a previous version targeting Diebold Agilis Middleware4 but with
some important differences. The differences suggest that the Latin American individuals behind Ploutus
is not behind the recent heists that took place in US. The new variant is named “Piolin” (tweety bird
cartoon) by the authors.
This paper details all the new features of Piolin ATM Malware and its comparison with Ploutus-D.
Piolin, the First Malware
Jackpotting ATMs in US
Overview
Piolin is an ATM Malware that is based on Ploutus-D but created specifically to target ATMs in the US.
The malware was presumably created by different individuals than the ones behind Ploutus.
Here are some of the differences between Piolin and Ploutus-D:
1. Comes packed with a .NET Injector as an extra layer of obfuscation 2. Targets only USD Currency 3. The Licensing mechanism has been changed 4. New XML-based Logging Class
Here are some similarities between Piolin and Ploutus-D
1. All the interaction with the malware and Dispensing logic is the same 2. Same Agilis software package install in the ATM along with the malware 3. Targets Diebold Agilis Middleware 4. All logging information is mostly written in Spanish
Evolution of Ploutus-D
Table below outlines the three known variants of Ploutus-D:
Malware Name
Name MD5 Target Date Created
Country First Seen
Ploutus-D AgilisConfigurationUtility.exe 5AF1F92832378772A7E3B07A0CAD4FC5
Kalignite 2015 Peru
Ploutus-D AgilisConfigurationUtility.exe 60C1A0E0504318294B552F8CF395BB25
Diebold Agilis
2015 Mexico
Piolin CalcAgilis.exe 7FAEC476C914CDF0A595BDB9A1B5D59D Diebold Agilis
2017 USA
Interacting with Piolin
The way the attackers interact with Piolin is the same as Ploutus-D (See Figure 0). It can be done via
external keyboard, or the Pin pad. However, the version seen in Mexico came with a WiFi module
(SimpleWifi.dll)4 can enable the ATMs to be managed remotely. Although Piolin is not confirmed to
include such module, it is based on Ploutus-D. Note the following statement reported during the arrest
of three suspects in Wyoming USA 6 on November 2017:
Piolin, the First Malware
Jackpotting ATMs in US
“One of the subjects reportedly appeared to be holding a small wireless mini-computer
keyboard”
Figure 0. Piolin - Interacting with Diebold Pin pad and Dispenser
Individuals behind Ploutus-D and Piolin variant
In this section we will compare Piolin (CalcAgilis.exe) with the version of Ploutus-D
(AgilisConfigurationUtility.exe ) targeting Diebold Agilis Middleware (see table above) and highlight the
evidence that suggest the individuals behind US heists may not be the creators of Ploutus-D.
Malware Hashes to compare
AgilisConfigurationUtility.exe - 60C1A0E0504318294B552F8CF395BB25 – Latin America
CalcAgilis.exe - 7FAEC476C914CDF0A595BDB9A1B5D59D - USA
New layer of obfuscation
Ploutus developers’ expertise is in the control of the ATM Middleware. When it comes to malware
obfuscation however, they use commonly available tools such as Confuser or Reactor for .NET. Piolin
(CalcAgilis.exe) includes another layer of protection using a MSIL (Microsoft Intermediate Language)
Injector readily found in hundreds of malware families today. Although this layer did not help in avoiding
detection, it helped to hide the malware in the wild, as seen at Figure 1. 45 out of 66 endpoint products
detected it as malicious but none of them labeled it as an ATM Malware.
Piolin, the First Malware
Jackpotting ATMs in US
Figure 1: Detection of Ploutus-D
MSIL Injector operates by storing the encoded .NET binary in the resources section with the name “__”.
It then loads and decodes it at run time. In Figure 2, we can see second stage .NET binary fully decoded
in memory, showing the ATM XFS APIs.
Figure 2: Piolin decoded in memory
Piolin, the First Malware
Jackpotting ATMs in US
Eventually the injector will load the workstation build (mscorwks.dll) of the common language runtime
(CLR) with version 2.0.50727 (hardcoded) via the “CorBindToRunTimeEx” API which will execute the
decoded .NET Binary from memory. This second stage comes obfuscated with Reactor as seen in
previous variant from Latin America. Once de-obfuscated, we can see its main structure and the use of
Diebold XFS Middleware classes (see Figure 3).
Figure 3: Ploutus-D Classes
Control of the Piolin Licenses
A key piece of the Ploutus criminal business is the licensing process which is totally under control of the
masterminds, the hypothetical process works as follows:
1. Local individual contact Ploutus Organization for a license to use the malware 2. After certain identity validation and payment completed, a mule is trained to physically open
the targeted ATMs 3. The mule does not know how the licenses are generated. His job is to install the malware in the
ATM following different techniques: a. Inserting a CD-ROM/USB and start installation after rebooting b. Extracting the Hard Disk for offline installation
4. Once the malware is installed is time to activate the license which is tied to the hardware of the affected ATMs and is only enabled by the masterminds by:
a. Sending a SMS message to the ATM
Piolin, the First Malware
Jackpotting ATMs in US
b. Connecting remotely via TeamViewer to the mule’s laptop that has the ATM hard disk mounted as another drive
c. Enabling the Malware to generate a License key 5. Once the ATM malware is activated, the criminals have 24 hours to steal as much as they can 6. If Ploutus need to be activated for another day? Go to step 4
As you can see, the masterminds protect the delivery of the licenses. Otherwise, anyone can generate
their own licenses without their permission.
Figure 5 illustrates the code to generate licenses. Left side of the figure shows the original code to
generate the license in Latin America. The right side shows the changes in the Piolin version as seen in
US.
AgilisConfigurationUtility.exe (Latin America) CalAgilis.exe (USA)
Figure 5: Chunk of License generation code comparison
Significance of Licensing Differences
The code used to generate Ploutus-D license was the same as the ones detected in previous Latin
America version. It was however, changed in the US version. This suggests that new individual(s) is in
charge of the billing operation in US.
Piolin, the First Malware
Jackpotting ATMs in US
Malware Signature changed
In the variants of Ploutus-D seen in Latin America a peculiar signature is printed in the Log.txt file as
seen at Figure 6.
Figure 6: Ploutus-D Signature
However, Piolin removes that signature and instead, prints its own. As shown in Figure 7, every time
funds are withdrawn from the ATM, transaction information is stored at Log.txt including the string
“Piolin Termino” (Piolin in English) referring to the name of the malware.
Figure 7: Piolin Signature
Cassette Currency Validation
Ploutus-D supports USD and Non-USD currency as seen at Figure 8. Piolin on the other hand, simply
defaults to the currency configured in the cassette which suggest they assume will be USD.
Piolin, the First Malware
Jackpotting ATMs in US
Figure 8: Ploutus-D Currency check
Logging activities
Log.txt continues to be use but with extra information (again in Spanish). A new file with XML format
was added with the name “MandeB.bin which basically stores the ATM settings as illustrated in Figure 9.
Figure 9: Piolin new config file - MandeB.bin
Figure 10 shows that Piolin adds more status debugging messages. Interestingly, the messages are in
Spanish.
Piolin, the First Malware
Jackpotting ATMs in US
Figure 10: Piolin Logging
Conclusion
Ploutus have been targeting Banks worldwide for about 5 years. Its attempt to expand to US may not
have been a smart move. First, the number of legacy ATMs is very low compared to Latin America.
Second, Ploutus requires physical installation and in it can take more than 30 minutes to empty the
teller machine. It’s a difficult task when a 911 call to the authorities can have a response time of 5
minutes. We have already witnessed multiple arrests involved in the heists8. The evidence that the
latest version changed the license issuing code suggest that another group different from Ploutus
creators attempted to target North America with the new variant Piolin.
Ploutus is still actively compromising legacy ATMs running Windows XP or Windows 7 predominantly in
Latin America. Current solutions require upgrade to the latest software and hardware; a requirement
that cannot be accomplished easily. A solution is needed to help to protect these legacy ATMs.
Not the Fault of WindowsXP
It is important to clarify that the success of ATM malware is not due solely to Windows XP. Although the
OS simplifies malware installation, attackers can remove funds from the ATM if the he/she gain SYSTEM
Piolin, the First Malware
Jackpotting ATMs in US
(higher user privilege) access. Unfortunately, the current solutions designed to protect the Dispenser is
not compatible with legacy ATMs.
Ineffectiveness of Software-based endpoint protection
The ineffectiveness of software-based endpoint protection is widely known. We need only to read the
newspapers regarding the latest heist to confirm such belief. All major AV vendors are installed on the
targeted ATMs yet offers limited protection. AV vendors can’t take all the blame. We need to assume
the attackers will gain physical access to the ATM and remove the hard disk. Once the hard disk is
removed and assuming it is not encrypted, any type of software can be easily removed even at kernel
level.
ATM Vendors
We can see creators of Ploutus adding multiple layers of obfuscation to make detection of their malware
harder. Unfortunately we do not see similar innovation from the ATM vendors. Their software is written
in .NET without any protection. One right click can grant you full access to the source code making it
easier for Ploutus developers to understand and weaponize their code. It is time to add code-level
protection to the ATM Middleware.
Disk Encryption
While disk encryption raises the bar and prevents offline attacks, it does not help in scenarios in which
the malware is installed through the Banks’ network. Such real case scenario was Ripper7.
References
1. https://www.symantec.com/connect/blogs/criminals-hit-atm-jackpot
2. https://youtu.be/k-MqCFTD6kY 3. https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html 4. https://www.zingbox.com/blog/ploutus-d-malware-turns-atms-into-iot-devices/ 5. https://krebsonsecurity.com/2018/01/first-jackpotting-attacks-hit-u-s-atms/ 6. https://oilcitywyo.com/crime/2017/11/21/bank-robbery-suspects-arrested-jackson-hear-charges-fed-
court-casper/ 7. https://www.fireeye.com/blog/threat-research/2016/08/ripper_atm_malwarea.html
8. https://oilcitywyo.com/crime/2017/11/21/bank-robbery-suspects-arrested-jackson-hear-charges-fed-court-casper/