Piolin, the First Malware

Jackpotting ATMs in US

Meet Piolin, the first ATM Malware Jackpotting ATMs in US

Background

Ploutus is an ATM Malware discovered back in 20131 that targets ATMs manufactured by NCR in Mexico.

Ploutus gained a lot of media coverage thanks to its capability to be controlled by SMS messages2. It

exhibited other sophistication such as the ability to switch the ATM into supervisor mode in order to

dispense cash. The next variant of Ploutus was seen in South America targeting ATMs manufactured by

Diebold and hence the name, Ploutus-D3, this new variant was able to control the multi-vendor ATM

Software Kalignite (KAL). Here is the description of this software on its website:

“KAL's product suite enables ATM hardware, software and services sourced from multiple vendors to

work together perfectly.”

A perfect target for Ploutus-D since it can run on multiple vendors as well.

Around the same time, another variant of Ploutus-D was identified in Mexico, this time controlling

Diebold’s Agilis Middleware4. Similar to the previous variants, the attackers demonstrated in-depth

knowledge of the internal workings of the ATM Manufacturers’ Middleware. The latest variant offered a

new module that allow the attackers to manage ATMs remotely to setup the malware and issue licenses

to their customers.

Recently in January 2018, according to journalist Krebs, U.S. Secret service quietly alerted financial

institutions that Ploutus-D was discovered jackpotting ATMs in USA5. Analysis of the new variant

revealed that it is a modified copy of a previous version targeting Diebold Agilis Middleware4 but with

some important differences. The differences suggest that the Latin American individuals behind Ploutus

is not behind the recent heists that took place in US. The new variant is named “Piolin” (tweety bird

cartoon) by the authors.

This paper details all the new features of Piolin ATM Malware and its comparison with Ploutus-D.

Piolin, the First Malware

Jackpotting ATMs in US

Overview

Piolin is an ATM Malware that is based on Ploutus-D but created specifically to target ATMs in the US.

The malware was presumably created by different individuals than the ones behind Ploutus.

Here are some of the differences between Piolin and Ploutus-D:

1. Comes packed with a .NET Injector as an extra layer of obfuscation 2. Targets only USD Currency 3. The Licensing mechanism has been changed 4. New XML-based Logging Class

Here are some similarities between Piolin and Ploutus-D

1. All the interaction with the malware and Dispensing logic is the same 2. Same Agilis software package install in the ATM along with the malware 3. Targets Diebold Agilis Middleware 4. All logging information is mostly written in Spanish

Evolution of Ploutus-D

Table below outlines the three known variants of Ploutus-D:

Malware Name

Name MD5 Target Date Created

Country First Seen

Ploutus-D AgilisConfigurationUtility.exe 5AF1F92832378772A7E3B07A0CAD4FC5

Kalignite 2015 Peru

Ploutus-D AgilisConfigurationUtility.exe 60C1A0E0504318294B552F8CF395BB25

Diebold Agilis

2015 Mexico

Piolin CalcAgilis.exe 7FAEC476C914CDF0A595BDB9A1B5D59D Diebold Agilis

2017 USA

Interacting with Piolin

The way the attackers interact with Piolin is the same as Ploutus-D (See Figure 0). It can be done via

external keyboard, or the Pin pad. However, the version seen in Mexico came with a WiFi module

(SimpleWifi.dll)4 can enable the ATMs to be managed remotely. Although Piolin is not confirmed to

include such module, it is based on Ploutus-D. Note the following statement reported during the arrest

of three suspects in Wyoming USA 6 on November 2017:

Piolin, the First Malware

Jackpotting ATMs in US

“One of the subjects reportedly appeared to be holding a small wireless mini-computer

keyboard”

Figure 0. Piolin - Interacting with Diebold Pin pad and Dispenser

Individuals behind Ploutus-D and Piolin variant

In this section we will compare Piolin (CalcAgilis.exe) with the version of Ploutus-D

(AgilisConfigurationUtility.exe ) targeting Diebold Agilis Middleware (see table above) and highlight the

evidence that suggest the individuals behind US heists may not be the creators of Ploutus-D.

Malware Hashes to compare

AgilisConfigurationUtility.exe - 60C1A0E0504318294B552F8CF395BB25 – Latin America

CalcAgilis.exe - 7FAEC476C914CDF0A595BDB9A1B5D59D - USA

New layer of obfuscation

Ploutus developers’ expertise is in the control of the ATM Middleware. When it comes to malware

obfuscation however, they use commonly available tools such as Confuser or Reactor for .NET. Piolin

(CalcAgilis.exe) includes another layer of protection using a MSIL (Microsoft Intermediate Language)

Injector readily found in hundreds of malware families today. Although this layer did not help in avoiding

detection, it helped to hide the malware in the wild, as seen at Figure 1. 45 out of 66 endpoint products

detected it as malicious but none of them labeled it as an ATM Malware.

Piolin, the First Malware

Jackpotting ATMs in US

Figure 1: Detection of Ploutus-D

MSIL Injector operates by storing the encoded .NET binary in the resources section with the name “__”.

It then loads and decodes it at run time. In Figure 2, we can see second stage .NET binary fully decoded

in memory, showing the ATM XFS APIs.

Figure 2: Piolin decoded in memory

Piolin, the First Malware

Jackpotting ATMs in US

Eventually the injector will load the workstation build (mscorwks.dll) of the common language runtime

(CLR) with version 2.0.50727 (hardcoded) via the “CorBindToRunTimeEx” API which will execute the

decoded .NET Binary from memory. This second stage comes obfuscated with Reactor as seen in

previous variant from Latin America. Once de-obfuscated, we can see its main structure and the use of

Diebold XFS Middleware classes (see Figure 3).

Figure 3: Ploutus-D Classes

Control of the Piolin Licenses

A key piece of the Ploutus criminal business is the licensing process which is totally under control of the

masterminds, the hypothetical process works as follows:

1. Local individual contact Ploutus Organization for a license to use the malware 2. After certain identity validation and payment completed, a mule is trained to physically open

the targeted ATMs 3. The mule does not know how the licenses are generated. His job is to install the malware in the

ATM following different techniques: a. Inserting a CD-ROM/USB and start installation after rebooting b. Extracting the Hard Disk for offline installation

4. Once the malware is installed is time to activate the license which is tied to the hardware of the affected ATMs and is only enabled by the masterminds by:

a. Sending a SMS message to the ATM

Piolin, the First Malware

Jackpotting ATMs in US

b. Connecting remotely via TeamViewer to the mule’s laptop that has the ATM hard disk mounted as another drive

c. Enabling the Malware to generate a License key 5. Once the ATM malware is activated, the criminals have 24 hours to steal as much as they can 6. If Ploutus need to be activated for another day? Go to step 4

As you can see, the masterminds protect the delivery of the licenses. Otherwise, anyone can generate

their own licenses without their permission.

Figure 5 illustrates the code to generate licenses. Left side of the figure shows the original code to

generate the license in Latin America. The right side shows the changes in the Piolin version as seen in

US.

AgilisConfigurationUtility.exe (Latin America) CalAgilis.exe (USA)

Figure 5: Chunk of License generation code comparison

Significance of Licensing Differences

The code used to generate Ploutus-D license was the same as the ones detected in previous Latin

America version. It was however, changed in the US version. This suggests that new individual(s) is in

charge of the billing operation in US.

Piolin, the First Malware

Jackpotting ATMs in US

Malware Signature changed

In the variants of Ploutus-D seen in Latin America a peculiar signature is printed in the Log.txt file as

seen at Figure 6.

Figure 6: Ploutus-D Signature

However, Piolin removes that signature and instead, prints its own. As shown in Figure 7, every time

funds are withdrawn from the ATM, transaction information is stored at Log.txt including the string

“Piolin Termino” (Piolin in English) referring to the name of the malware.

Figure 7: Piolin Signature

Cassette Currency Validation

Ploutus-D supports USD and Non-USD currency as seen at Figure 8. Piolin on the other hand, simply

defaults to the currency configured in the cassette which suggest they assume will be USD.

Piolin, the First Malware

Jackpotting ATMs in US

Figure 8: Ploutus-D Currency check

Logging activities

Log.txt continues to be use but with extra information (again in Spanish). A new file with XML format

was added with the name “MandeB.bin which basically stores the ATM settings as illustrated in Figure 9.

Figure 9: Piolin new config file - MandeB.bin

Figure 10 shows that Piolin adds more status debugging messages. Interestingly, the messages are in

Spanish.

Piolin, the First Malware

Jackpotting ATMs in US

Figure 10: Piolin Logging

Conclusion

Ploutus have been targeting Banks worldwide for about 5 years. Its attempt to expand to US may not

have been a smart move. First, the number of legacy ATMs is very low compared to Latin America.

Second, Ploutus requires physical installation and in it can take more than 30 minutes to empty the

teller machine. It’s a difficult task when a 911 call to the authorities can have a response time of 5

minutes. We have already witnessed multiple arrests involved in the heists8. The evidence that the

latest version changed the license issuing code suggest that another group different from Ploutus

creators attempted to target North America with the new variant Piolin.

Ploutus is still actively compromising legacy ATMs running Windows XP or Windows 7 predominantly in

Latin America. Current solutions require upgrade to the latest software and hardware; a requirement

that cannot be accomplished easily. A solution is needed to help to protect these legacy ATMs.

Not the Fault of WindowsXP

It is important to clarify that the success of ATM malware is not due solely to Windows XP. Although the

OS simplifies malware installation, attackers can remove funds from the ATM if the he/she gain SYSTEM

Piolin, the First Malware

Jackpotting ATMs in US

(higher user privilege) access. Unfortunately, the current solutions designed to protect the Dispenser is

not compatible with legacy ATMs.

Ineffectiveness of Software-based endpoint protection

The ineffectiveness of software-based endpoint protection is widely known. We need only to read the

newspapers regarding the latest heist to confirm such belief. All major AV vendors are installed on the

targeted ATMs yet offers limited protection. AV vendors can’t take all the blame. We need to assume

the attackers will gain physical access to the ATM and remove the hard disk. Once the hard disk is

removed and assuming it is not encrypted, any type of software can be easily removed even at kernel

level.

ATM Vendors

We can see creators of Ploutus adding multiple layers of obfuscation to make detection of their malware

harder. Unfortunately we do not see similar innovation from the ATM vendors. Their software is written

in .NET without any protection. One right click can grant you full access to the source code making it

easier for Ploutus developers to understand and weaponize their code. It is time to add code-level

protection to the ATM Middleware.

Disk Encryption

While disk encryption raises the bar and prevents offline attacks, it does not help in scenarios in which

the malware is installed through the Banks’ network. Such real case scenario was Ripper7.

References

1. https://www.symantec.com/connect/blogs/criminals-hit-atm-jackpot

2. https://youtu.be/k-MqCFTD6kY 3. https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html 4. https://www.zingbox.com/blog/ploutus-d-malware-turns-atms-into-iot-devices/ 5. https://krebsonsecurity.com/2018/01/first-jackpotting-attacks-hit-u-s-atms/ 6. https://oilcitywyo.com/crime/2017/11/21/bank-robbery-suspects-arrested-jackson-hear-charges-fed-

court-casper/ 7. https://www.fireeye.com/blog/threat-research/2016/08/ripper_atm_malwarea.html

8. https://oilcitywyo.com/crime/2017/11/21/bank-robbery-suspects-arrested-jackson-hear-charges-fed-court-casper/