Proactive Cybersecurity – Taking Control Away from Attackers

Attacks are getting bigger and bolder and this calls for a new approach to cybersecurity. Cybercriminals have broadened their scope beyond conventional computer systems and now almost every connected device can be a target. 2013 was the year of the megabreach, where we witnessed some of the biggest data breaches of all time with over 500 million records exposed. Point of Sale terminals have been infected with malware in order to siphon off millions of credit card records. Attackers are even going one step further and using malicious code to steal cold hard cash. A recent piece of malware, Ploutus, allows criminals to use a mobile phone to get an ATM to spit out cash by sending a simple text message.

An increasingly connected world means that attackers have access to more routes into a corporate environment. Default passwords and known vulnerabilities on peripheral devices and Web servers can provide an easy, direct path. And it isn’t just your own security you need to worry about. Many corporations have partners, suppliers, and service providers who have some level of access to the corporate network. These are often the weak link.

Attackers can also strike straight at the heart of an organization by targeting employees with well-crafted spear phishing emails. Once inside, the attacker can traverse the network to get to the data they’re seeking. They may need elevated privileges, and they may install hacking tools to facilitate this. Once attackers have the data they want, they need to exfiltrate it, maybe using a staging server along the way.

Organizations need to accept that attackers are well resourced, skilled, and will do what it takes to infiltrate their target and acquire their data, be it financial data, customer records, or intellectual property. Corporations need to get ahead of the attacker and embrace Proactive Cybersecurity.

What is Proactive Cybersecurity?
We know that attacks are multi-staged and persistent, but at each stage of a campaign the attackers leave traces of their presence. It might be a dropped file, hacking tools, a failed login, or a connection to an unknown FTP server. Proactive Cybersecurity takes these indicators of compromise and develops actionable intelligence so that you can learn to recognize attempted attacks and block them before attackers gain a foothold in your network. Proactive Cybersecurity puts you firmly in control of your network security.

To learn more about how Symantec’s Proactive Cybersecurity solutions join us at Symantec Vision.

Backdoor.Ploutus Reloaded – Ploutus Leaves Mexico

backdoor ploutus head.jpg

 

On September 4, 2013, we were the first to discover and add detections for a new malware targeting ATMs named Backdoor.Ploutus, as reported by our Rapid Release Definitions. Recently, we identified a new variant of this threat and realized that it has been improved and translated into English, suggesting that the ATM software is now being used in other countries.

Symantec added a generic detection for this new variant as Backdoor.Ploutus.B on October 25, 2013, so Ploutus can be detected when it is inactive and when it is running.

Infection methodology

According to external sources, the malware is transferred to the ATM by physically inserting a new boot disk into the CD-ROM drive. The boot disk then transfers malware.

Impact

The criminals have ported the malware to a more robust architecture and translated to English which suggests that they know the same ATM software can be exploited in other countries outside of Latin America.

The number of banks affected by Backdoor.Ploutus.B is out of the scope of this research and it should be handled by the affected parties.

New characteristics for Backdoor.Ploutus.B

The binary name of the English version is “Ploutos.exe” instead of “PloutusService.exe” and it has been changed from a standalone program to a modular architecture.
 

backdoor ploutus fig 1.png

Figure 1. Ploutus modular architecture
 

The new NCRDRVP service is highly obfuscated, hides its malicious actions to avoid detection, and may perform the following actions:

  • Install or uninstall the service
  • Perform keyboard  hooking
  • Load the Dispatcher DLL
  • Receive commands from the criminals through the ATM keypad
  • Forward the commands to the Dispatcher through a raw socket

The Dispatcher will listen for instructions by creating a raw socket. The raw socket is not easy to discover because it is not listed in the TCP or UDP protocols that the system uses. The Dispatcher may perform the following actions:

  • Parse the received commands to make sure they are valid
  • Execute Ploutus through command line arguments

Backdoor.Ploutus.B has the same interface (the NCR.APTRA.AXFS class) and still concentrates on dispensing money, but there are several differences. This version has the following characteristics:

  • It can print the entire ATM configuration if a USB Printer is connected to the machine (the Spanish version sends this information to a log file instead)
  • It does not feature a graphical user interface (GUI) and instead accepts commands from the ATM keypad
  • It will display a window to the attacker describing the money available in the ATM and a transaction log while dispensing the money
  • It does not offer support for a keyboard to be connected to the ATM
  • It withdraws money from the cassette with the most available bills, but lacks the option to enter a specific bill amount

Ploutus Reloaded fig 2 edit.png

Figure 2. Window showing money available in compromised ATM
 

Actions performed by Backdoor.Ploutus.B

The new version has the same functionalities as the old version:

  • Generates a random number and assigns it to the compromised ATM based on the current date at the time of infection
  • Sets a timer to dispense money (the malware will only dispense money in the first 24 hours after it is activated)
  • Dispenses money from the cassette with the most available bills

Interacting with Backdoor.Ploutus.B through the ATM keypad

The attackers send a 16-digits command code using the ATM keypad which is received by the NCRDRVP Service:

  • 123456789ABCDEFG

The code is then forwarded to the Dispatcher through a raw socket. The Dispatcher then sends a 33-digit instruction to Ploutus through the command line:

  • cmd.exe /c Ploutos.exe 5449610000583686=123456789ABCDEFG

If the last 16 digits are equal to: 2836957412536985, then Ploutus will generate an ATM ID. If Ploutus generates an ATM ID, the attackers can enter the same 16 digits, but will replace the final two digits in order to perform various actions.

If the final two digits are 99:

  • Ploutus will be terminated

If the final two digits are 54:

  • The ATM ID will be activated through a code generated based on an encoded ATM ID and the current date. This value is stored in the DATAC entry in the confg.ini file. A valid ATM activation code must be obtained in order for the ATM to dispense cash.
  • A timer will be set to dispense the money and the value will be stored in the DATAB entry in the config.ini file.

If the final two digits are 31:

  • The ATM will dispense money and print the entire ATM configuration if a USB printer is connected         

Dispense process compromised

  1. Ploutus will identify the number of dispenser devices in the ATM.
  2. It then obtains the number of available cassettes per dispenser and loads them. In this case, the malware assumes there is a maximum of four cassettes per dispenser since it knows the design of the ATM model.
  3. Next, it calculates the amount to dispense based on the bill count set as 40, which is multiplied by the cash unit value.
  4. It then starts the cash dispensing operation. If any of the cassettes have less than 40 units (bills) available, then it will find the cassette with more available units and dispense all the money from that cassette only.
  5. It will open a panel (see Figure 2) that displays the details of the transaction as well as the remaining money in the ATM. It will then hide the panel.
  6. Finally, it will repeat step four every time Ploutus is requested to dispense money.

ATMs spewing cash at a location near you

This discovery underlines the increasing level of cooperation between traditional physical world criminals with hackers and cybercriminals. With the ever increasing use of technology in all aspects of security, traditional criminals are realizing that to carry out successful heists, they now require another set of skills that wasn’t required in the past. The modern day bank robbers now need skilled IT practitioners on their team to help them carry out their heists. This type of thing isn’t just happening in films, it’s happening in real life, but this issue does not directly affect ATM users. In this case, financial institutions are the targets. Symantec recommends the following best practices:

  • Configure the BIOS boot order to only boot from Hard Disk (no CD/DVD, USB)
  • Secure the BIOS with a password so that the attackers cannot reconfigure the boot options
  • Consider removing hardware that allows the BIOS to read and start from boot
  • Ensure that AV signatures and security solutions are up to date

Criminals Hit the ATM Jackpot

Contributor: Val S

Mexican ATMs 1.jpg

It’s well-known that organized crime in Mexico is always finding new ways to steal money from people.  Automatic teller machines (ATMs) are one of the common targets in this effort, but the challenge there is actually getting the money out of the machine. The three most common ways to accomplish this are:

  1. Kidnapping: Criminals kidnap a person for as long as it takes to withdraw all the money from their account. The time depends on the money available in the account since normally there is a limit on the amount allowed to be dispensed per day.
  2. Physically stealing the ATM: Criminals remove the ATM and take it to a location where they can go to work accessing the cash inside. In this scenario, the loss of cash is only one consequence as the criminals would also gain access to the software running on the ATM, which could be reverse-engineered in order to prepare an attack against all ATMs running the same software.
  3. ATM Skimming: Devices are placed over the card reader in order to steal personally identifiable information (PII) data like PIN numbers. Fake number pad overlays can also be used to record which buttons are pressed.

While the above scenarios all rely on external factors to succeed, criminals would like nothing more than a way for them to make an ATM spew out all its cash just by pressing some buttons (similar to the demo presented by the late Barnaby Jack at 2010’s BlackHat conference). Unfortunately for banks, it seems as though the bad guys’ dreams may have come true. In parallel investigations with other AV firms, Symantec identified this sample on August 31, 2013 and a detection has been in place since September 4, 2013. We detect this sample as Backdoor.Ploutus.  

Infection methodology

According to external sources, the malware is transferred to the ATM by physically inserting a new boot disk into the CD-ROM drive. The boot disk then transfers malware.

Impact

The criminals created an interface to interact with the ATM software on a compromised ATM, and are therefore able to withdraw all the available money from the containers holding the cash, also known as cassettes.

One interesting part to note is that the criminals are also able to read all the information typed by cardholders through the ATM keypad, enabling them to steal the sensitive information without using any external device.

Although no confirmation has been received from other countries being affected by this threat, banks in other countries using the same ATM software could be at risk.

Technical characteristics of Backdoor.Ploutus

  1. It runs as a Windows service named NCRDRVPS
  2. The criminals created an interface to interact with ATM software on a compromised ATM through the NCR.APTRA.AXFS class 
  3. Its binary name is PloutusService.exe
  4. It was developed with .NET technology and obfuscated with the software Confuser 1.9
  5. It creates a hidden window that can be enabled by the criminals to interact with the ATM
  6. It interprets specific key combinations, entered by criminals, as commands that can be received either by an external keyboard (that must be connected to the ATM) or directly from the keypad

Actions performed by Backdoor.Ploutus

  1. Generate ATM ID: Randomly generated number assigned to the compromised ATM, based on current day and month at the time of infection.
  2. Activate ATM ID: Sets a timer to dispense money. The malware will dispense money only within the first 24 hours after it was activated.
  3. Dispense cash: Dispense money based on the amount requested by the criminals.
  4. Restart (Service): Reset the dispense time period.

The list of commands mentioned above must be executed in order, since it must use a non-expired activated ATM ID to dispense the cash.

The source code contains Spanish function names and poor English grammar that suggests the malware may have been coded by Spanish speaking developers.

Interacting with Backdoor.Ploutus through the keypad

As noted previously, this type of interaction does not require an additional keyboard to be connected.

The following command codes, entered using the ATM keypad, and their purpose are as follows:

12340000: To test if the keyboard is receiving commands.

12343570: Generate ATM ID, which is stored in the DATAA entry in the config.ini file.

12343571XXXXXXXX: Has two actions:

  1. Activate ATM ID by generating an activation code based on an encoded ATM ID and the current date. This value is stored in the DATAC entry in the config.ini file. The eight bytes read in must be a valid encoded ATM ID generated by a function called CrypTrack(). A valid ATM activation code must be obtained in order for the ATM to dispense cash.
  2. Generate timespan: Sets a timer to dispense money, the value will be stored in the DATAB entry in the config.ini file.

12343572XX: Commands the ATM to dispense money. The removed digits represent the number of bills to dispense.   

Interacting with Backdoor.Ploutus through a GUI

This method requires the use of an external keyboard.

F8 = If the Trojan window is hidden then this will display it in the main screen of the ATM, enabling criminals to send commands.

After the Trojan window is displayed, the following key commands can be issued by pressing the appropriate key on the keyboard:

F1 = Generate ATM ID

F2 = Activate ATM ID

F3 = Dispense

F4 = Disable Trojan Window

F5 = KeyControlUp

F6 = KeyControlDown

F7 = KeyControlNext

F8 = KeyControlBack

Mexican ATMs 2.png

Figure. Trojan key commands

Dispense process compromised

It is clear that the criminals have reverse engineered the ATM software and came up with an interface to interact with it, and, although we are not ATM architects, based on the code we have reviewed we can infer that Backdoor.Ploutus has the following functionalities:

  1. It will identify the dispenser device in the ATM.
  2. It then gets the number of cassettes per dispenser and loads them. In this case the malware assumes there is a maximum of four cassettes per dispenser since it knows the design of the ATM model .
  3. Next, it calculates the amount to dispense based on the bill count provided, which is multiplied by the cash unit value.
  4. It then starts the cash dispensing operation. If any of the cassettes have less than 40 units (bills) available, then, instead of dispensing the amount requested, it will dispense all the remaining money available in that cassette.
  5. Finally, it will repeat step four for all remaining cassettes until all the money is withdrawn from the ATM.

ATMs could be spewing cash at a location near you…

What this discovery underlines is the increasing level of cooperation between traditional physical world criminals with hackers and cybercriminals. With the ever increasing use of technology in all aspects of security, traditional criminals are realizing that to carry out successful heists, they now require another set of skills that wasn’t required in the past. The modern day bank robbers now need skilled IT practitioners on their team to help them carry out their heists. This type of thing isn’t just happening in films, it’s happening in real life, possibly at a bank machine near you.